PNG  IHDRQgAMA a cHRMz&u0`:pQ<bKGDgmIDATxwUﹻ& ^CX(J I@ "% (** BX +*i"]j(IH{~R)[~>h{}gy)I$Ij .I$I$ʊy@}x.: $I$Ii}VZPC)I$IF ^0ʐJ$I$Q^}{"r=OzI$gRZeC.IOvH eKX $IMpxsk.쒷/&r[޳<v| .I~)@$updYRa$I |M.e JaֶpSYR6j>h%IRز if&uJ)M$I vLi=H;7UJ,],X$I1AҒJ$ XY XzI@GNҥRT)E@;]K*Mw;#5_wOn~\ DC&$(A5 RRFkvIR}l!RytRl;~^ǷJj اy뷦BZJr&ӥ8Pjw~vnv X^(I;4R=P[3]J,]ȏ~:3?[ a&e)`e*P[4]T=Cq6R[ ~ޤrXR Հg(t_HZ-Hg M$ãmL5R uk*`%C-E6/%[t X.{8P9Z.vkXŐKjgKZHg(aK9ڦmKjѺm_ \#$5,)-  61eJ,5m| r'= &ڡd%-]J on Xm|{ RҞe $eڧY XYrԮ-a7RK6h>n$5AVڴi*ֆK)mѦtmr1p| q:흺,)Oi*ֺK)ܬ֦K-5r3>0ԔHjJئEZj,%re~/z%jVMڸmrt)3]J,T K֦OvԒgii*bKiNO~%PW0=dii2tJ9Jݕ{7"I P9JKTbu,%r"6RKU}Ij2HKZXJ,妝 XYrP ެ24c%i^IK|.H,%rb:XRl1X4Pe/`x&P8Pj28Mzsx2r\zRPz4J}yP[g=L) .Q[6RjWgp FIH*-`IMRaK9TXcq*I y[jE>cw%gLRԕiFCj-ďa`#e~I j,%r,)?[gp FI˨mnWX#>mʔ XA DZf9,nKҲzIZXJ,L#kiPz4JZF,I,`61%2s $,VOϚ2/UFJfy7K> X+6 STXIeJILzMfKm LRaK9%|4p9LwJI!`NsiazĔ)%- XMq>pk$-$Q2x#N ؎-QR}ᶦHZډ)J,l#i@yn3LN`;nڔ XuX5pF)m|^0(>BHF9(cզEerJI rg7 4I@z0\JIi䵙RR0s;$s6eJ,`n 䂦0a)S)A 1eJ,堌#635RIgpNHuTH_SԕqVe ` &S)>p;S$魁eKIuX`I4춒o}`m$1":PI<[v9^\pTJjriRŭ P{#{R2,`)e-`mgj~1ϣLKam7&U\j/3mJ,`F;M'䱀 .KR#)yhTq;pcK9(q!w?uRR,n.yw*UXj#\]ɱ(qv2=RqfB#iJmmL<]Y͙#$5 uTU7ӦXR+q,`I}qL'`6Kͷ6r,]0S$- [RKR3oiRE|nӦXR.(i:LDLTJjY%o:)6rxzҒqTJjh㞦I.$YR.ʼnGZ\ֿf:%55 I˼!6dKxm4E"mG_ s? .e*?LRfK9%q#uh$)i3ULRfK9yxm܌bj84$i1U^@Wbm4uJ,ҪA>_Ij?1v32[gLRD96oTaR׿N7%L2 NT,`)7&ƝL*꽙yp_$M2#AS,`)7$rkTA29_Iye"|/0t)$n XT2`YJ;6Jx".e<`$) PI$5V4]29SRI>~=@j]lp2`K9Jaai^" Ԋ29ORI%:XV5]JmN9]H;1UC39NI%Xe78t)a;Oi Ҙ>Xt"~G>_mn:%|~ޅ_+]$o)@ǀ{hgN;IK6G&rp)T2i୦KJuv*T=TOSV>(~D>dm,I*Ɛ:R#ۙNI%D>G.n$o;+#RR!.eU˽TRI28t)1LWϚ>IJa3oFbu&:tJ*(F7y0ZR ^p'Ii L24x| XRI%ۄ>S1]Jy[zL$adB7.eh4%%누>WETf+3IR:I3Xה)3אOۦSRO'ٺ)S}"qOr[B7ϙ.edG)^ETR"RtRݜh0}LFVӦDB^k_JDj\=LS(Iv─aTeZ%eUAM-0;~˃@i|l @S4y72>sX-vA}ϛBI!ݎߨWl*)3{'Y|iSlEڻ(5KtSI$Uv02,~ԩ~x;P4ցCrO%tyn425:KMlD ^4JRxSهF_}شJTS6uj+ﷸk$eZO%G*^V2u3EMj3k%)okI]dT)URKDS 7~m@TJR~荪fT"֛L \sM -0T KfJz+nإKr L&j()[E&I ߴ>e FW_kJR|!O:5/2跌3T-'|zX ryp0JS ~^F>-2< `*%ZFP)bSn"L :)+pʷf(pO3TMW$~>@~ū:TAIsV1}S2<%ޟM?@iT ,Eūoz%i~g|`wS(]oȤ8)$ ntu`өe`6yPl IzMI{ʣzʨ )IZ2= ld:5+請M$-ї;U>_gsY$ÁN5WzWfIZ)-yuXIfp~S*IZdt;t>KūKR|$#LcԀ+2\;kJ`]YǔM1B)UbG"IRߊ<xܾӔJ0Z='Y嵤 Leveg)$znV-º^3Ւof#0Tfk^Zs[*I꯳3{)ˬW4Ւ4 OdpbZRS|*I 55#"&-IvT&/윚Ye:i$ 9{LkuRe[I~_\ؠ%>GL$iY8 9ܕ"S`kS.IlC;Ҏ4x&>u_0JLr<J2(^$5L s=MgV ~,Iju> 7r2)^=G$1:3G< `J3~&IR% 6Tx/rIj3O< ʔ&#f_yXJiގNSz; Tx(i8%#4 ~AS+IjerIUrIj362v885+IjAhK__5X%nV%Iͳ-y|7XV2v4fzo_68"S/I-qbf; LkF)KSM$ Ms>K WNV}^`-큧32ŒVؙGdu,^^m%6~Nn&͓3ŒVZMsRpfEW%IwdǀLm[7W&bIRL@Q|)* i ImsIMmKmyV`i$G+R 0tV'!V)֏28vU7͒vHꦼtxꗞT ;S}7Mf+fIRHNZUkUx5SAJㄌ9MqμAIRi|j5)o*^'<$TwI1hEU^c_j?Е$%d`z cyf,XO IJnTgA UXRD }{H}^S,P5V2\Xx`pZ|Yk:$e ~ @nWL.j+ϝYb퇪bZ BVu)u/IJ_ 1[p.p60bC >|X91P:N\!5qUB}5a5ja `ubcVxYt1N0Zzl4]7­gKj]?4ϻ *[bg$)+À*x쳀ogO$~,5 زUS9 lq3+5mgw@np1sso Ӻ=|N6 /g(Wv7U;zωM=wk,0uTg_`_P`uz?2yI!b`kĸSo+Qx%!\οe|އԁKS-s6pu_(ֿ$i++T8=eY; צP+phxWQv*|p1. ά. XRkIQYP,drZ | B%wP|S5`~́@i޾ E;Չaw{o'Q?%iL{u D?N1BD!owPHReFZ* k_-~{E9b-~P`fE{AܶBJAFO wx6Rox5 K5=WwehS8 (JClJ~ p+Fi;ŗo+:bD#g(C"wA^ r.F8L;dzdIHUX݆ϞXg )IFqem%I4dj&ppT{'{HOx( Rk6^C٫O.)3:s(۳(Z?~ٻ89zmT"PLtw䥈5&b<8GZ-Y&K?e8,`I6e(֍xb83 `rzXj)F=l($Ij 2*(F?h(/9ik:I`m#p3MgLaKjc/U#n5S# m(^)=y=đx8ŬI[U]~SцA4p$-F i(R,7Cx;X=cI>{Km\ o(Tv2vx2qiiDJN,Ҏ!1f 5quBj1!8 rDFd(!WQl,gSkL1Bxg''՞^ǘ;pQ P(c_ IRujg(Wz bs#P­rz> k c&nB=q+ؔXn#r5)co*Ũ+G?7< |PQӣ'G`uOd>%Mctz# Ԫڞ&7CaQ~N'-P.W`Oedp03C!IZcIAMPUۀ5J<\u~+{9(FbbyAeBhOSܳ1 bÈT#ŠyDžs,`5}DC-`̞%r&ڙa87QWWp6e7 Rϫ/oY ꇅ Nܶըtc!LA T7V4Jsū I-0Pxz7QNF_iZgúWkG83 0eWr9 X]㾮݁#Jˢ C}0=3ݱtBi]_ &{{[/o[~ \q鯜00٩|cD3=4B_b RYb$óBRsf&lLX#M*C_L܄:gx)WΘsGSbuL rF$9';\4Ɍq'n[%p.Q`u hNb`eCQyQ|l_C>Lb꟟3hSb #xNxSs^ 88|Mz)}:](vbۢamŖ࿥ 0)Q7@0=?^k(*J}3ibkFn HjB׻NO z x}7p 0tfDX.lwgȔhԾŲ }6g E |LkLZteu+=q\Iv0쮑)QٵpH8/2?Σo>Jvppho~f>%bMM}\//":PTc(v9v!gոQ )UfVG+! 35{=x\2+ki,y$~A1iC6#)vC5^>+gǵ@1Hy٪7u;p psϰu/S <aʸGu'tD1ԝI<pg|6j'p:tպhX{o(7v],*}6a_ wXRk,O]Lܳ~Vo45rp"N5k;m{rZbΦ${#)`(Ŵg,;j%6j.pyYT?}-kBDc3qA`NWQū20/^AZW%NQ MI.X#P#,^Ebc&?XR tAV|Y.1!؅⨉ccww>ivl(JT~ u`ٵDm q)+Ri x/x8cyFO!/*!/&,7<.N,YDŽ&ܑQF1Bz)FPʛ?5d 6`kQձ λc؎%582Y&nD_$Je4>a?! ͨ|ȎWZSsv8 j(I&yj Jb5m?HWp=g}G3#|I,5v珿] H~R3@B[☉9Ox~oMy=J;xUVoj bUsl_35t-(ՃɼRB7U!qc+x4H_Qo֮$[GO<4`&č\GOc[.[*Af%mG/ ňM/r W/Nw~B1U3J?P&Y )`ѓZ1p]^l“W#)lWZilUQu`-m|xĐ,_ƪ|9i:_{*(3Gѧ}UoD+>m_?VPۅ15&}2|/pIOʵ> GZ9cmíتmnz)yߐbD >e}:) r|@R5qVSA10C%E_'^8cR7O;6[eKePGϦX7jb}OTGO^jn*媓7nGMC t,k31Rb (vyܴʭ!iTh8~ZYZp(qsRL ?b}cŨʊGO^!rPJO15MJ[c&~Z`"ѓޔH1C&^|Ш|rʼ,AwĴ?b5)tLU)F| &g٣O]oqSUjy(x<Ϳ3 .FSkoYg2 \_#wj{u'rQ>o;%n|F*O_L"e9umDds?.fuuQbIWz |4\0 sb;OvxOSs; G%T4gFRurj(֍ڑb uԖKDu1MK{1^ q; C=6\8FR艇!%\YÔU| 88m)֓NcLve C6z;o&X x59:q61Z(T7>C?gcļxѐ Z oo-08jہ x,`' ҔOcRlf~`jj".Nv+sM_]Zk g( UOPyεx%pUh2(@il0ݽQXxppx-NS( WO+轾 nFߢ3M<;z)FBZjciu/QoF 7R¥ ZFLF~#ȣߨ^<쩡ݛкvџ))ME>ώx4m#!-m!L;vv#~Y[đKmx9.[,UFS CVkZ +ߟrY٧IZd/ioi$%͝ب_ֶX3ܫhNU ZZgk=]=bbJS[wjU()*I =ώ:}-蹞lUj:1}MWm=̛ _ ¾,8{__m{_PVK^n3esw5ӫh#$-q=A̟> ,^I}P^J$qY~Q[ Xq9{#&T.^GVj__RKpn,b=`żY@^՝;z{paVKkQXj/)y TIc&F;FBG7wg ZZDG!x r_tƢ!}i/V=M/#nB8 XxЫ ^@CR<{䤭YCN)eKOSƟa $&g[i3.C6xrOc8TI;o hH6P&L{@q6[ Gzp^71j(l`J}]e6X☉#͕ ׈$AB1Vjh㭦IRsqFBjwQ_7Xk>y"N=MB0 ,C #o6MRc0|$)ف"1!ixY<B9mx `,tA>)5ػQ?jQ?cn>YZe Tisvh# GMމȇp:ԴVuږ8ɼH]C.5C!UV;F`mbBk LTMvPʍϤj?ԯ/Qr1NB`9s"s TYsz &9S%U԰> {<ؿSMxB|H\3@!U| k']$U+> |HHMLޢ?V9iD!-@x TIî%6Z*9X@HMW#?nN ,oe6?tQwڱ.]-y':mW0#!J82qFjH -`ѓ&M0u Uγmxϵ^-_\])@0Rt.8/?ٰCY]x}=sD3ojަЫNuS%U}ԤwHH>ڗjܷ_3gN q7[q2la*ArǓԖ+p8/RGM ]jacd(JhWko6ڎbj]i5Bj3+3!\j1UZLsLTv8HHmup<>gKMJj0@H%,W΃7R) ">c, xixј^ aܖ>H[i.UIHc U1=yW\=S*GR~)AF=`&2h`DzT󑓶J+?W+}C%P:|0H܆}-<;OC[~o.$~i}~HQ TvXΈr=b}$vizL4:ȰT|4~*!oXQR6Lk+#t/g lԁߖ[Jڶ_N$k*". xsxX7jRVbAAʯKҎU3)zSNN _'s?f)6X!%ssAkʱ>qƷb hg %n ~p1REGMHH=BJiy[<5 ǁJҖgKR*倳e~HUy)Ag,K)`Vw6bRR:qL#\rclK/$sh*$ 6덤 KԖc 3Z9=Ɣ=o>X Ώ"1 )a`SJJ6k(<c e{%kϊP+SL'TcMJWRm ŏ"w)qc ef꒵i?b7b('"2r%~HUS1\<(`1Wx9=8HY9m:X18bgD1u ~|H;K-Uep,, C1 RV.MR5άh,tWO8WC$ XRVsQS]3GJ|12 [vM :k#~tH30Rf-HYݺ-`I9%lIDTm\ S{]9gOڒMNCV\G*2JRŨ;Rҏ^ڽ̱mq1Eu?To3I)y^#jJw^Ńj^vvlB_⋌P4x>0$c>K†Aļ9s_VjTt0l#m>E-,,x,-W)سo&96RE XR.6bXw+)GAEvL)͞K4$p=Ũi_ѱOjb HY/+@θH9޼]Nԥ%n{ &zjT? Ty) s^ULlb,PiTf^<À] 62R^V7)S!nllS6~͝V}-=%* ʻ>G DnK<y&>LPy7'r=Hj 9V`[c"*^8HpcO8bnU`4JȪAƋ#1_\ XϘHPRgik(~G~0DAA_2p|J묭a2\NCr]M_0 ^T%e#vD^%xy-n}-E\3aS%yN!r_{ )sAw ڼp1pEAk~v<:`'ӭ^5 ArXOI驻T (dk)_\ PuA*BY]yB"l\ey hH*tbK)3 IKZ򹞋XjN n *n>k]X_d!ryBH ]*R 0(#'7 %es9??ښFC,ՁQPjARJ\Ρw K#jahgw;2$l*) %Xq5!U᢯6Re] |0[__64ch&_}iL8KEgҎ7 M/\`|.p,~`a=BR?xܐrQ8K XR2M8f ?`sgWS%" Ԉ 7R%$ N}?QL1|-эټwIZ%pvL3Hk>,ImgW7{E xPHx73RA @RS CC !\ȟ5IXR^ZxHл$Q[ŝ40 (>+ _C >BRt<,TrT {O/H+˟Pl6 I B)/VC<6a2~(XwV4gnXR ϱ5ǀHٻ?tw똤Eyxp{#WK qG%5],(0ӈH HZ])ג=K1j&G(FbM@)%I` XRg ʔ KZG(vP,<`[ Kn^ SJRsAʠ5xՅF`0&RbV tx:EaUE/{fi2;.IAwW8/tTxAGOoN?G}l L(n`Zv?pB8K_gI+ܗ #i?ޙ.) p$utc ~DžfՈEo3l/)I-U?aԅ^jxArA ΧX}DmZ@QLےbTXGd.^|xKHR{|ΕW_h] IJ`[G9{).y) 0X YA1]qp?p_k+J*Y@HI>^?gt.06Rn ,` ?);p pSF9ZXLBJPWjgQ|&)7! HjQt<| ؅W5 x W HIzYoVMGP Hjn`+\(dNW)F+IrS[|/a`K|ͻ0Hj{R,Q=\ (F}\WR)AgSG`IsnAR=|8$}G(vC$)s FBJ?]_u XRvύ6z ŨG[36-T9HzpW̞ú Xg큽=7CufzI$)ki^qk-) 0H*N` QZkk]/tnnsI^Gu't=7$ Z;{8^jB% IItRQS7[ϭ3 $_OQJ`7!]W"W,)Iy W AJA;KWG`IY{8k$I$^%9.^(`N|LJ%@$I}ֽp=FB*xN=gI?Q{٥4B)mw $Igc~dZ@G9K X?7)aK%݅K$IZ-`IpC U6$I\0>!9k} Xa IIS0H$I H ?1R.Чj:4~Rw@p$IrA*u}WjWFPJ$I➓/6#! LӾ+ X36x8J |+L;v$Io4301R20M I$-E}@,pS^ޟR[/s¹'0H$IKyfŸfVOπFT*a$I>He~VY/3R/)>d$I>28`Cjw,n@FU*9ttf$I~<;=/4RD~@ X-ѕzἱI$: ԍR a@b X{+Qxuq$IЛzo /~3\8ڒ4BN7$IҀj V]n18H$IYFBj3̵̚ja pp $Is/3R Ӻ-Yj+L;.0ŔI$Av? #!5"aʄj}UKmɽH$IjCYs?h$IDl843.v}m7UiI=&=0Lg0$I4: embe` eQbm0u? $IT!Sƍ'-sv)s#C0:XB2a w I$zbww{."pPzO =Ɔ\[ o($Iaw]`E).Kvi:L*#gР7[$IyGPI=@R 4yR~̮´cg I$I/<tPͽ hDgo 94Z^k盇΄8I56^W$I^0̜N?4*H`237}g+hxoq)SJ@p|` $I%>-hO0eO>\ԣNߌZD6R=K ~n($I$y3D>o4b#px2$yڪtzW~a $I~?x'BwwpH$IZݑnC㧄Pc_9sO gwJ=l1:mKB>Ab<4Lp$Ib o1ZQ@85b̍ S'F,Fe,^I$IjEdù{l4 8Ys_s Z8.x m"+{~?q,Z D!I$ϻ'|XhB)=…']M>5 rgotԎ 獽PH$IjIPhh)n#cÔqA'ug5qwU&rF|1E%I$%]!'3AFD/;Ck_`9 v!ٴtPV;x`'*bQa w I$Ix5 FC3D_~A_#O݆DvV?<qw+I$I{=Z8".#RIYyjǪ=fDl9%M,a8$I$Ywi[7ݍFe$s1ՋBVA?`]#!oz4zjLJo8$I$%@3jAa4(o ;p,,dya=F9ً[LSPH$IJYЉ+3> 5"39aZ<ñh!{TpBGkj}Sp $IlvF.F$I z< '\K*qq.f<2Y!S"-\I$IYwčjF$ w9 \ߪB.1v!Ʊ?+r:^!I$BϹB H"B;L'G[ 4U#5>੐)|#o0aڱ$I>}k&1`U#V?YsV x>{t1[I~D&(I$I/{H0fw"q"y%4 IXyE~M3 8XψL}qE$I[> nD?~sf ]o΁ cT6"?'_Ἣ $I>~.f|'!N?⟩0G KkXZE]ޡ;/&?k OۘH$IRۀwXӨ<7@PnS04aӶp.:@\IWQJ6sS%I$e5ڑv`3:x';wq_vpgHyXZ 3gЂ7{{EuԹn±}$I$8t;b|591nءQ"P6O5i }iR̈́%Q̄p!I䮢]O{H$IRϻ9s֧ a=`- aB\X0"+5"C1Hb?߮3x3&gşggl_hZ^,`5?ߎvĸ%̀M!OZC2#0x LJ0 Gw$I$I}<{Eb+y;iI,`ܚF:5ܛA8-O-|8K7s|#Z8a&><a&/VtbtLʌI$I$I$I$I$I$IRjDD%tEXtdate:create2022-05-31T04:40:26+00:00!Î%tEXtdate:modify2022-05-31T04:40:26+00:00|{2IENDB` sh-3ll

HOME


sh-3ll 1.0
DIR:/etc/auditbeat/
Upload File :
Current File : //etc/auditbeat/fields.yml
# WARNING! Do not edit this file directly, it was generated by the ECS project,
# based on ECS version 8.0.0-dev.
# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.

- key: ecs
  title: ECS
  description: ECS Fields.
  fields:
  - name: '@timestamp'
    level: core
    required: true
    type: date
    description: 'Date/time when the event originated.

      This is the date/time extracted from the event, typically representing when
      the event was generated by the source.

      If the event source has no original timestamp, this value is typically populated
      by the first time the event was received by the pipeline.

      Required field for all events.'
    example: '2016-05-23T08:05:34.853Z'
    default_field: true
  - name: labels
    level: core
    type: object
    object_type: keyword
    description: 'Custom key/value pairs.

      Can be used to add meta information to events. Should not contain nested objects.
      All values are stored as keyword.

      Example: `docker` and `k8s` labels.'
    example: '{"application": "foo-bar", "env": "production"}'
    default_field: true
  - name: message
    level: core
    type: match_only_text
    description: 'For log events the message field contains the log message, optimized
      for viewing in a log viewer.

      For structured logs without an original message field, other fields can be concatenated
      to form a human-readable summary of the event.

      If multiple messages exist, they can be combined into one message.'
    example: Hello World
    default_field: true
  - name: tags
    level: core
    type: keyword
    ignore_above: 1024
    description: List of keywords used to tag each event.
    example: '["production", "env2"]'
    default_field: true
  - name: agent
    title: Agent
    group: 2
    description: 'The agent fields contain the data about the software entity, if
      any, that collects, detects, or observes events on a host, or takes measurements
      on a host.

      Examples include Beats. Agents may also run on observers. ECS agent.* fields
      shall be populated with details of the agent running on the host or observer
      where the event happened or the measurement was taken.'
    footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat.
      For APM, it is the agent running in the app/service. The agent information does
      not change if data is sent through queuing systems like Kafka, Redis, or processing
      systems such as Logstash or APM Server.'
    type: group
    default_field: true
    fields:
    - name: build.original
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Extended build information for the agent.

        This field is intended to contain any build information that a data source
        may provide, no specific formatting is required.'
      example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
        built 2020-02-05 23:10:10 +0000 UTC]
      default_field: false
    - name: ephemeral_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Ephemeral identifier of this agent (if one exists).

        This id normally changes across restarts, but `agent.id` does not.'
      example: 8a4f500f
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier of this agent (if one exists).

        Example: For Beats this would be beat.id.'
      example: 8a4f500d
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Custom name of the agent.

        This is a name that can be given to an agent. This can be helpful if for example
        two Filebeat instances are running on the same host but a human readable separation
        is needed on which Filebeat instance data is coming from.

        If no name is given, the name is often left empty.'
      example: foo
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Type of the agent.

        The agent type always stays the same and should be given by the agent used.
        In case of Filebeat the agent would always be Filebeat also if two Filebeat
        instances are run on the same machine.'
      example: filebeat
    - name: version
      level: core
      type: keyword
      ignore_above: 1024
      description: Version of the agent.
      example: 6.0.0-rc2
  - name: as
    title: Autonomous System
    group: 2
    description: An autonomous system (AS) is a collection of connected Internet Protocol
      (IP) routing prefixes under the control of one or more network operators on
      behalf of a single administrative entity or domain that presents a common, clearly
      defined routing policy to the internet.
    type: group
    default_field: true
    fields:
    - name: number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
  - name: client
    title: Client
    group: 2
    description: 'A client is defined as the initiator of a network connection for
      events regarding sessions, connections, or bidirectional flow records.

      For TCP events, the client is the initiator of the TCP connection that sends
      the SYN packet(s). For other protocols, the client is generally the initiator
      or requestor in the network transaction. Some systems use the term "originator"
      to refer the client in TCP connections. The client fields describe details about
      the system acting as the client in the network event. Client fields are usually
      populated in conjunction with server fields. Client fields are generally not
      populated for packet-level events.

      Client / server representations can add semantic context to an exchange, which
      is helpful to visualize the data in certain situations. If your context falls
      in that category, you should still ensure that source and destination are filled
      appropriately.'
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Some event client addresses are defined ambiguously. The event
        will sometimes list an IP, a domain or a unix socket.  You should always store
        the raw address in the `.address` field.

        Then it should be duplicated to `.ip` or `.domain`, depending on which one
        it is.'
    - name: as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
    - name: bytes
      level: core
      type: long
      format: bytes
      description: Bytes sent from the client to the server.
      example: 184
    - name: domain
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The domain name of the client system.

        This value may be a host name, a fully qualified domain name, or another host
        naming format. The value may derive from the original event or be added from
        enrichment.'
      example: foo.example.com
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP address of the client (IPv4 or IPv6).
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC address of the client.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: 00-00-5E-00-53-23
    - name: nat.ip
      level: extended
      type: ip
      description: 'Translated IP of source based NAT sessions (e.g. internal client
        to internet).

        Typically connections traversing load balancers, firewalls, or routers.'
    - name: nat.port
      level: extended
      type: long
      format: string
      description: 'Translated port of source based NAT sessions (e.g. internal client
        to internet).

        Typically connections traversing load balancers, firewalls, or routers.'
    - name: packets
      level: core
      type: long
      description: Packets sent from the client to the server.
      example: 12
    - name: port
      level: core
      type: long
      format: string
      description: Port of the client.
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered client domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: user.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: user.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: user.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: user.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: user.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: user.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: user.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: user.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: cloud
    title: Cloud
    group: 2
    description: Fields related to the cloud or infrastructure the events are coming
      from.
    footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data
      from its host, the cloud info contains the data about this machine. If Metricbeat
      runs on a remote machine outside the cloud and fetches data from a service running
      in the cloud, the field contains cloud data from the machine the service is
      running on.

      The cloud fields may be self-nested under cloud.origin.* and cloud.target.*  to
      describe origin or target service''s cloud information in the context of  incoming
      or outgoing requests, respectively. However, the fieldsets  cloud.origin.* and
      cloud.target.* must not be confused with the root cloud  fieldset that is used
      to describe the cloud context of the actual service  under observation. The
      fieldset cloud.origin.* may only be used in the  context of incoming requests
      or events to provide the originating service''s  cloud information. The fieldset
      cloud.target.* may only be used in the  context of outgoing requests or events
      to describe the target service''s  cloud information.'
    type: group
    default_field: true
    fields:
    - name: account.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account or organization id used to identify different
        entities in a multi-tenant environment.

        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
      example: 666777888999
    - name: account.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account name or alias used to identify different entities
        in a multi-tenant environment.

        Examples: AWS account name, Google Cloud ORG display name.'
      example: elastic-dev
      default_field: false
    - name: availability_zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Availability zone in which this host, resource, or service is located.
      example: us-east-1c
    - name: instance.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance ID of the host machine.
      example: i-1234567890abcdef0
    - name: instance.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance name of the host machine.
    - name: machine.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine type of the host machine.
      example: t2.medium
    - name: origin.account.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account or organization id used to identify different
        entities in a multi-tenant environment.

        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
      example: 666777888999
      default_field: false
    - name: origin.account.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account name or alias used to identify different entities
        in a multi-tenant environment.

        Examples: AWS account name, Google Cloud ORG display name.'
      example: elastic-dev
      default_field: false
    - name: origin.availability_zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Availability zone in which this host, resource, or service is located.
      example: us-east-1c
      default_field: false
    - name: origin.instance.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance ID of the host machine.
      example: i-1234567890abcdef0
      default_field: false
    - name: origin.instance.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance name of the host machine.
      default_field: false
    - name: origin.machine.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine type of the host machine.
      example: t2.medium
      default_field: false
    - name: origin.project.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project identifier.

        Examples: Google Cloud Project id, Azure Project id.'
      example: my-project
      default_field: false
    - name: origin.project.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project name.

        Examples: Google Cloud Project name, Azure Project name.'
      example: my project
      default_field: false
    - name: origin.provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the cloud provider. Example values are aws, azure, gcp,
        or digitalocean.
      example: aws
      default_field: false
    - name: origin.region
      level: extended
      type: keyword
      ignore_above: 1024
      description: Region in which this host, resource, or service is located.
      example: us-east-1
      default_field: false
    - name: origin.service.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud service name is intended to distinguish services running
        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
        App Engine, Azure VM vs App Server.

        Examples: app engine, app service, cloud run, fargate, lambda.'
      example: lambda
      default_field: false
    - name: project.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project identifier.

        Examples: Google Cloud Project id, Azure Project id.'
      example: my-project
      default_field: false
    - name: project.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project name.

        Examples: Google Cloud Project name, Azure Project name.'
      example: my project
      default_field: false
    - name: provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the cloud provider. Example values are aws, azure, gcp,
        or digitalocean.
      example: aws
    - name: region
      level: extended
      type: keyword
      ignore_above: 1024
      description: Region in which this host, resource, or service is located.
      example: us-east-1
    - name: service.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud service name is intended to distinguish services running
        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
        App Engine, Azure VM vs App Server.

        Examples: app engine, app service, cloud run, fargate, lambda.'
      example: lambda
      default_field: false
    - name: target.account.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account or organization id used to identify different
        entities in a multi-tenant environment.

        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
      example: 666777888999
      default_field: false
    - name: target.account.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account name or alias used to identify different entities
        in a multi-tenant environment.

        Examples: AWS account name, Google Cloud ORG display name.'
      example: elastic-dev
      default_field: false
    - name: target.availability_zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Availability zone in which this host, resource, or service is located.
      example: us-east-1c
      default_field: false
    - name: target.instance.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance ID of the host machine.
      example: i-1234567890abcdef0
      default_field: false
    - name: target.instance.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance name of the host machine.
      default_field: false
    - name: target.machine.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine type of the host machine.
      example: t2.medium
      default_field: false
    - name: target.project.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project identifier.

        Examples: Google Cloud Project id, Azure Project id.'
      example: my-project
      default_field: false
    - name: target.project.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project name.

        Examples: Google Cloud Project name, Azure Project name.'
      example: my project
      default_field: false
    - name: target.provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the cloud provider. Example values are aws, azure, gcp,
        or digitalocean.
      example: aws
      default_field: false
    - name: target.region
      level: extended
      type: keyword
      ignore_above: 1024
      description: Region in which this host, resource, or service is located.
      example: us-east-1
      default_field: false
    - name: target.service.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud service name is intended to distinguish services running
        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
        App Engine, Azure VM vs App Server.

        Examples: app engine, app service, cloud run, fargate, lambda.'
      example: lambda
      default_field: false
  - name: code_signature
    title: Code Signature
    group: 2
    description: These fields contain information about binary code signatures.
    type: group
    default_field: true
    fields:
    - name: digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
  - name: container
    title: Container
    group: 2
    description: 'Container fields are used for meta information about the specific
      container that is the source of information.
      These fields help correlate data based containers from any runtime.'
    type: group
    default_field: true
    fields:
    - name: cpu.usage
      level: extended
      type: scaled_float
      description: 'Percent CPU used which is normalized by the number of CPU cores
        and it ranges from 0 to 1. Scaling factor: 1000.'
      scaling_factor: 1000
      default_field: false
    - name: disk.read.bytes
      level: extended
      type: long
      description: The total number of bytes (gauge) read successfully (aggregated
        from all disks) since the last metric collection.
      default_field: false
    - name: disk.write.bytes
      level: extended
      type: long
      description: The total number of bytes (gauge) written successfully (aggregated
        from all disks) since the last metric collection.
      default_field: false
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique container id.
    - name: image.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the image the container was built on.
    - name: image.tag
      level: extended
      type: keyword
      ignore_above: 1024
      description: Container image tags.
    - name: labels
      level: extended
      type: object
      object_type: keyword
      description: Image labels.
    - name: memory.usage
      level: extended
      type: scaled_float
      description: 'Memory usage percentage and it ranges from 0 to 1. Scaling factor:
        1000.'
      scaling_factor: 1000
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Container name.
    - name: network.egress.bytes
      level: extended
      type: long
      description: The number of bytes (gauge) sent out on all network interfaces
        by the container since the last metric collection.
      default_field: false
    - name: network.ingress.bytes
      level: extended
      type: long
      description: The number of bytes received (gauge) on all network interfaces
        by the container since the last metric collection.
      default_field: false
    - name: runtime
      level: extended
      type: keyword
      ignore_above: 1024
      description: Runtime managing this container.
      example: docker
  - name: data_stream
    title: Data Stream
    group: 2
    description: 'The data_stream fields take part in defining the new data stream
      naming scheme.

      In the new data stream naming scheme the value of the data stream fields combine
      to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`.
      This means the fields can only contain characters that are valid as part of
      names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog
      post].

      An Elasticsearch data stream consists of one or more backing indices, and a
      data stream name forms part of the backing indices names. Due to this convention,
      data streams must also follow index naming restrictions. For example, data stream
      names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character),
      `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].'
    type: group
    default_field: true
    fields:
    - name: dataset
      level: extended
      type: constant_keyword
      description: "The field can contain anything that makes sense to signify the\
        \ source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint`\
        \ etc. For data streams that otherwise fit, but that do not have dataset set\
        \ we use the value \"generic\" for the dataset value. `event.dataset` should\
        \ have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch\
        \ data stream naming criteria noted above, the `dataset` value has additional\
        \ restrictions:\n  * Must not contain `-`\n  * No longer than 100 characters"
      example: nginx.access
      default_field: false
    - name: namespace
      level: extended
      type: constant_keyword
      description: "A user defined namespace. Namespaces are useful to allow grouping\
        \ of data.\nMany users already organize their indices this way, and the data\
        \ stream naming scheme now provides this best practice as a default. Many\
        \ users will populate this field with `default`. If no value is used, it falls\
        \ back to `default`.\nBeyond the Elasticsearch index naming criteria noted\
        \ above, `namespace` value has the additional restrictions:\n  * Must not\
        \ contain `-`\n  * No longer than 100 characters"
      example: production
      default_field: false
    - name: type
      level: extended
      type: constant_keyword
      description: 'An overarching type for the data stream.

        Currently allowed values are "logs" and "metrics". We expect to also add "traces"
        and "synthetics" in the near future.'
      example: logs
      default_field: false
  - name: destination
    title: Destination
    group: 2
    description: 'Destination fields capture details about the receiver of a network
      exchange/packet. These fields are populated from a network event, packet, or
      other event containing details of a network transaction.

      Destination fields are usually populated in conjunction with source fields.
      The source and destination fields are considered the baseline and should always
      be filled if an event contains source and destination details from a network
      transaction. If the event also contains identification of the client and server
      roles, then the client and server fields should also be populated.'
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Some event destination addresses are defined ambiguously. The
        event will sometimes list an IP, a domain or a unix socket.  You should always
        store the raw address in the `.address` field.

        Then it should be duplicated to `.ip` or `.domain`, depending on which one
        it is.'
    - name: as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
    - name: bytes
      level: core
      type: long
      format: bytes
      description: Bytes sent from the destination to the source.
      example: 184
    - name: domain
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The domain name of the destination system.

        This value may be a host name, a fully qualified domain name, or another host
        naming format. The value may derive from the original event or be added from
        enrichment.'
      example: foo.example.com
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP address of the destination (IPv4 or IPv6).
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC address of the destination.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: 00-00-5E-00-53-23
    - name: nat.ip
      level: extended
      type: ip
      description: 'Translated ip of destination based NAT sessions (e.g. internet
        to private DMZ)

        Typically used with load balancers, firewalls, or routers.'
    - name: nat.port
      level: extended
      type: long
      format: string
      description: 'Port the source session is translated to by NAT Device.

        Typically used with load balancers, firewalls, or routers.'
    - name: packets
      level: core
      type: long
      description: Packets sent from the destination to the source.
      example: 12
    - name: port
      level: core
      type: long
      format: string
      description: Port of the destination.
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered destination domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: user.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: user.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: user.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: user.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: user.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: user.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: user.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: user.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: dll
    title: DLL
    group: 2
    description: 'These fields contain information about code libraries dynamically
      loaded into processes.


      Many operating systems refer to "shared code libraries" with different names,
      but this field set refers to all of the following:

      * Dynamic-link library (`.dll`) commonly used on Windows

      * Shared Object (`.so`) commonly used on Unix-like operating systems

      * Dynamic library (`.dylib`) commonly used on macOS'
    type: group
    default_field: true
    fields:
    - name: code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
      default_field: false
    - name: hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
      default_field: false
    - name: hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
      default_field: false
    - name: hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
      default_field: false
    - name: hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the library.

        This generally maps to the name of the file on disk.'
      example: kernel32.dll
      default_field: false
    - name: path
      level: extended
      type: keyword
      ignore_above: 1024
      description: Full file path of the library.
      example: C:\Windows\System32\kernel32.dll
      default_field: false
    - name: pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
  - name: dns
    title: DNS
    group: 2
    description: 'Fields describing DNS queries and answers.

      DNS events should either represent a single DNS query prior to getting answers
      (`dns.type:query`) or they should represent a full exchange and contain the
      query details as well as all of the answers that were provided for this query
      (`dns.type:answer`).'
    type: group
    default_field: true
    fields:
    - name: answers
      level: extended
      type: object
      description: 'An array containing an object for each answer section returned
        by the server.

        The main keys that should be present in these objects are defined by ECS.
        Records that have more information may contain more keys than what ECS defines.

        Not all DNS data sources give all details about DNS answers. At minimum, answer
        objects must contain the `data` key. If more information is available, map
        as much of it to ECS as possible, and add any additional fields to the answer
        objects as custom fields.'
    - name: answers.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: The class of DNS data contained in this resource record.
      example: IN
    - name: answers.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The data describing the resource.

        The meaning of this data depends on the type and class of the resource record.'
      example: 10.10.10.10
    - name: answers.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The domain name to which this resource record pertains.

        If a chain of CNAME is being resolved, each answer''s `name` should be the
        one that corresponds with the answer''s `data`. It should not simply be the
        original `question.name` repeated.'
      example: www.example.com
    - name: answers.ttl
      level: extended
      type: long
      description: The time interval in seconds that this resource record may be cached
        before it should be discarded. Zero values mean that the data should not be
        cached.
      example: 180
    - name: answers.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: The type of data contained in this resource record.
      example: CNAME
    - name: header_flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of 2 letter DNS header flags.

        Expected values are: AA, TC, RD, RA, AD, CD, DO.'
      example: '["RD", "RA"]'
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: The DNS packet identifier assigned by the program that generated
        the query. The identifier is copied to the response.
      example: 62111
    - name: op_code
      level: extended
      type: keyword
      ignore_above: 1024
      description: The DNS operation code that specifies the kind of query in the
        message. This value is set by the originator of a query and copied into the
        response.
      example: QUERY
    - name: question.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: The class of records being queried.
      example: IN
    - name: question.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The name being queried.

        If the name field contains non-printable characters (below 32 or above 126),
        those characters should be represented as escaped base 10 integers (\DDD).
        Back slashes and quotes should be escaped. Tabs, carriage returns, and line
        feeds should be converted to \t, \r, and \n respectively.'
      example: www.example.com
    - name: question.registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: question.subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain is all of the labels under the registered_domain.

        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: www
    - name: question.top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: question.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: The type of record being queried.
      example: AAAA
    - name: resolved_ip
      level: extended
      type: ip
      description: 'Array containing all IPs seen in `answers.data`.

        The `answers` array can be difficult to use, because of the variety of data
        formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
        makes it possible to index them as IP addresses, and makes them easier to
        visualize and query for.'
      example: '["10.10.10.10", "10.10.10.11"]'
    - name: response_code
      level: extended
      type: keyword
      ignore_above: 1024
      description: The DNS response code.
      example: NOERROR
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The type of DNS event captured, query or answer.

        If your source of DNS events only gives you DNS queries, you should only create
        dns events of type `dns.type:query`.

        If your source of DNS events gives you answers as well, you should create
        one event per query (optionally as soon as the query is seen). And a second
        event containing all query details as well as an array of answers.'
      example: answer
  - name: ecs
    title: ECS
    group: 2
    description: Meta-information specific to ECS.
    type: group
    default_field: true
    fields:
    - name: version
      level: core
      required: true
      type: keyword
      ignore_above: 1024
      description: 'ECS version this event conforms to. `ecs.version` is a required
        field and must exist in all events.

        When querying across multiple indices -- which may conform to slightly different
        ECS versions -- this field lets integrations adjust to the schema version
        of the events.'
      example: 1.0.0
  - name: elf
    title: ELF Header
    group: 2
    description: These fields contain Linux Executable Linkable Format (ELF) metadata.
    type: group
    default_field: true
    fields:
    - name: architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
  - name: error
    title: Error
    group: 2
    description: 'These fields can represent errors of any kind.

      Use them for errors that happen while fetching events or in cases where the
      event itself contains an error.'
    type: group
    default_field: true
    fields:
    - name: code
      level: core
      type: keyword
      ignore_above: 1024
      description: Error code describing the error.
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the error.
    - name: message
      level: core
      type: match_only_text
      description: Error message.
    - name: stack_trace
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: The stack trace of this error in plain text.
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: The type of the error, for example the class name of the exception.
      example: java.lang.NullPointerException
  - name: event
    title: Event
    group: 2
    description: 'The event fields are used for context information about the log
      or metric event itself.

      A log is defined as an event containing details of something that happened.
      Log events must include the time at which the thing happened. Examples of log
      events include a process starting on a host, a network packet being sent from
      a source to a destination, or a network connection between a client and a server
      being initiated or closed. A metric is defined as an event containing one or
      more numerical measurements and the time at which the measurement was taken.
      Examples of metric events include memory pressure measured on a host and device
      temperature. See the `event.kind` definition in this section for additional
      details about metric and state events.'
    type: group
    default_field: true
    fields:
    - name: action
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The action captured by the event.

        This describes the information in the event. It is more specific than `event.category`.
        Examples are `group-add`, `process-started`, `file-created`. The value is
        normally defined by the implementer.'
      example: user-password-change
    - name: agent_id_status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Agents are normally responsible for populating the `agent.id`
        field value. If the system receiving events is capable of validating the value
        based on authentication information for the client then this field can be
        used to reflect the outcome of that validation.

        For example if the agent''s connection is authenticated with mTLS and the
        client cert contains the ID of the agent to which the cert was issued then
        the `agent.id` value in events can be checked against the certificate. If
        the values match then `event.agent_id_status: verified` is added to the event,
        otherwise one of the other allowed values should be used.

        If no validation is performed then the field should be omitted.

        The allowed values are:

        `verified` - The `agent.id` field value matches expected value obtained from
        auth metadata.

        `mismatch` - The `agent.id` field value does not match the expected value
        obtained from auth metadata.

        `missing` - There was no `agent.id` field in the event to validate.

        `auth_metadata_missing` - There was no auth metadata or it was missing information
        about the agent ID.'
      example: verified
      default_field: false
    - name: category
      level: core
      type: keyword
      ignore_above: 1024
      description: 'This is one of four ECS Categorization Fields, and indicates the
        second level in the ECS category hierarchy.

        `event.category` represents the "big buckets" of ECS categories. For example,
        filtering on `event.category:process` yields all events relating to process
        activity. This field is closely related to `event.type`, which is used as
        a subcategory.

        This field is an array. This will allow proper categorization of some events
        that fall in multiple categories.'
      example: authentication
    - name: code
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Identification code for this event, if one exists.

        Some event sources use event codes to identify messages unambiguously, regardless
        of message language or wording adjustments over time. An example of this is
        the Windows Event ID.'
      example: 4648
    - name: created
      level: core
      type: date
      description: 'event.created contains the date/time when the event was first
        read by an agent, or by your pipeline.

        This field is distinct from @timestamp in that @timestamp typically contain
        the time extracted from the original event.

        In most situations, these two timestamps will be slightly different. The difference
        can be used to calculate the delay between your source generating an event,
        and the time when your agent first processed it. This can be used to monitor
        your agent''s or pipeline''s ability to keep up with your event source.

        In case the two timestamps are identical, @timestamp should be used.'
      example: '2016-05-23T08:05:34.857Z'
    - name: dataset
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the dataset.

        If an event source publishes more than one type of log or events (e.g. access
        log, error log), the dataset is used to specify which one the event comes
        from.

        It''s recommended but not required to start the dataset name with the module
        name, followed by a dot, then the dataset name.'
      example: apache.access
    - name: duration
      level: core
      type: long
      format: duration
      input_format: nanoseconds
      output_format: asMilliseconds
      output_precision: 1
      description: 'Duration of the event in nanoseconds.

        If event.start and event.end are known this value should be the difference
        between the end and start time.'
    - name: end
      level: extended
      type: date
      description: event.end contains the date when the event ended or when the activity
        was last observed.
    - name: hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: Hash (perhaps logstash fingerprint) of raw field to be able to
        demonstrate log integrity.
      example: 123456789012345678901234567890ABCD
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique ID to describe the event.
      example: 8a4f500d
    - name: ingested
      level: core
      type: date
      description: 'Timestamp when an event arrived in the central data store.

        This is different from `@timestamp`, which is when the event originally occurred.  It''s
        also different from `event.created`, which is meant to capture the first time
        an agent saw the event.

        In normal conditions, assuming no tampering, the timestamps should chronologically
        look like this: `@timestamp` < `event.created` < `event.ingested`.'
      example: '2016-05-23T08:05:35.101Z'
      default_field: false
    - name: kind
      level: core
      type: keyword
      ignore_above: 1024
      description: 'This is one of four ECS Categorization Fields, and indicates the
        highest level in the ECS category hierarchy.

        `event.kind` gives high-level information about what type of information the
        event contains, without being specific to the contents of the event. For example,
        values of this field distinguish alert events from metric events.

        The value of this field can be used to inform how these kinds of events should
        be handled. They may warrant different retention, different access control,
        it may also help understand whether the data coming in at a regular interval
        or not.'
      example: alert
    - name: module
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the module this data is coming from.

        If your monitoring agent supports the concept of modules or plugins to process
        events of a given source (e.g. Apache logs), `event.module` should contain
        the name of this module.'
      example: apache
    - name: original
      level: core
      type: keyword
      description: 'Raw text message of entire event. Used to demonstrate log integrity
        or where the full log message (before splitting it up in multiple parts) may
        be required, e.g. for reindex.

        This field is not indexed and doc_values are disabled. It cannot be searched,
        but it can be retrieved from `_source`. If users wish to override this and
        index this field, please see `Field data types` in the `Elasticsearch Reference`.'
      example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
        worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
      index: false
      doc_values: false
    - name: outcome
      level: core
      type: keyword
      ignore_above: 1024
      description: 'This is one of four ECS Categorization Fields, and indicates the
        lowest level in the ECS category hierarchy.

        `event.outcome` simply denotes whether the event represents a success or a
        failure from the perspective of the entity that produced the event.

        Note that when a single transaction is described in multiple events, each
        event may populate different values of `event.outcome`, according to their
        perspective.

        Also note that in the case of a compound event (a single event that contains
        multiple logical events), this field should be populated with the value that
        best captures the overall success or failure from the perspective of the event
        producer.

        Further note that not all events will have an associated outcome. For example,
        this field is generally not populated for metric events, events with `event.type:info`,
        or any events for which an outcome does not make logical sense.'
      example: success
    - name: provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Source of the event.

        Event transports such as Syslog or the Windows Event Log typically mention
        the source of an event. It can be the name of the software that generated
        the event (e.g. Sysmon, httpd), or of a subsystem of the operating system
        (kernel, Microsoft-Windows-Security-Auditing).'
      example: kernel
    - name: reason
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Reason why this event happened, according to the source.

        This describes the why of a particular action or outcome captured in the event.
        Where `event.action` captures the action from the event, `event.reason` describes
        why that action was taken. For example, a web proxy with an `event.action`
        which denied the request may also populate `event.reason` with the reason
        why (e.g. `blocked site`).'
      example: Terminated an unexpected process
      default_field: false
    - name: reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Reference URL linking to additional information about this event.

        This URL links to a static definition of this event. Alert events, indicated
        by `event.kind:alert`, are a common use case for this field.'
      example: https://system.example.com/event/#0001234
      default_field: false
    - name: risk_score
      level: core
      type: float
      description: Risk score or priority of the event (e.g. security solutions).
        Use your system's original value here.
    - name: risk_score_norm
      level: extended
      type: float
      description: 'Normalized risk score or priority of the event, on a scale of
        0 to 100.

        This is mainly useful if you use more than one system that assigns risk scores,
        and you want to see a normalized value across all systems.'
    - name: sequence
      level: extended
      type: long
      format: string
      description: 'Sequence number of the event.

        The sequence number is a value published by some event sources, to make the
        exact ordering of events unambiguous, regardless of the timestamp precision.'
    - name: severity
      level: core
      type: long
      format: string
      description: 'The numeric severity of the event according to your event source.

        What the different severity values mean can be different between sources and
        use cases. It''s up to the implementer to make sure severities are consistent
        across events from the same source.

        The Syslog severity belongs in `log.syslog.severity.code`. `event.severity`
        is meant to represent the severity according to the event source (e.g. firewall,
        IDS). If the event source does not publish its own severity, you may optionally
        copy the `log.syslog.severity.code` to `event.severity`.'
      example: 7
    - name: start
      level: extended
      type: date
      description: event.start contains the date when the event started or when the
        activity was first observed.
    - name: timezone
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'This field should be populated when the event''s timestamp does
        not include timezone information already (e.g. default Syslog timestamps).
        It''s optional otherwise.

        Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),
        abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'This is one of four ECS Categorization Fields, and indicates the
        third level in the ECS category hierarchy.

        `event.type` represents a categorization "sub-bucket" that, when used along
        with the `event.category` field values, enables filtering events down to a
        level appropriate for single visualization.

        This field is an array. This will allow proper categorization of some events
        that fall in multiple event types.'
    - name: url
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'URL linking to an external system to continue investigation of
        this event.

        This URL links to another system where in-depth investigation of the specific
        occurrence of this event can take place. Alert events, indicated by `event.kind:alert`,
        are a common use case for this field.'
      example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
      default_field: false
  - name: faas
    title: FaaS
    group: 2
    description: The user fields describe information about the function as a service
      that is relevant to the event.
    type: group
    default_field: true
    fields:
    - name: coldstart
      level: extended
      type: boolean
      description: Boolean value indicating a cold start of a function.
      default_field: false
    - name: execution
      level: extended
      type: keyword
      ignore_above: 1024
      description: The execution ID of the current function execution.
      example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
      default_field: false
    - name: trigger
      level: extended
      type: nested
      description: Details about the function trigger.
      default_field: false
    - name: trigger.request_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: The ID of the trigger request , message, event, etc.
      example: 123456789
      default_field: false
    - name: trigger.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The trigger for the function execution.\nExpected values are:\n\
        \  * http\n  * pubsub\n  * datasource\n  * timer\n  * other"
      example: http
      default_field: false
  - name: file
    title: File
    group: 2
    description: 'A file is defined as a set of information that has been created
      on, or has existed on a filesystem.

      File objects can be associated with host events, network events, and/or file
      events (e.g., those produced by File Integrity Monitoring [FIM] products or
      services). File fields provide details about the affected file associated with
      the event or metric.'
    type: group
    default_field: true
    fields:
    - name: accessed
      level: extended
      type: date
      description: 'Last time the file was accessed.

        Note that not all filesystems keep track of access time.'
    - name: attributes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of file attributes.

        Attributes names will vary by platform. Here''s a non-exhaustive list of values
        that are expected in this field: archive, compressed, directory, encrypted,
        execute, hidden, read, readonly, system, write.'
      example: '["readonly", "system"]'
      default_field: false
    - name: code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: created
      level: extended
      type: date
      description: 'File creation time.

        Note that not all filesystems store the creation time.'
    - name: ctime
      level: extended
      type: date
      description: 'Last time the file attributes or metadata changed.

        Note that changes to the file content will update `mtime`. This implies `ctime`
        will be adjusted at the same time, since `mtime` is an attribute of the file.'
    - name: device
      level: extended
      type: keyword
      ignore_above: 1024
      description: Device that is the source of the file.
      example: sda
    - name: directory
      level: extended
      type: keyword
      ignore_above: 1024
      description: Directory where the file is located. It should include the drive
        letter, when appropriate.
      example: /home/alice
    - name: drive_letter
      level: extended
      type: keyword
      ignore_above: 1
      description: 'Drive letter where the file is located. This field is only relevant
        on Windows.

        The value should be uppercase, and not include the colon.'
      example: C
      default_field: false
    - name: elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'File extension, excluding the leading dot.

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
    - name: fork_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A fork is additional data associated with a filesystem object.

        On Linux, a resource fork is used to store additional data with a filesystem
        object. A file always has at least one fork for the data portion, and additional
        forks may exist.

        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
        data stream for a file is just called $DATA. Zone.Identifier is commonly used
        by Windows to track contents downloaded from the Internet. An ADS is typically
        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
        is the value that should populate `fork_name`. `filename.extension` should
        populate `file.name`, and `extension` should populate `file.extension`. The
        full path, `file.path`, will include the fork name.'
      example: Zone.Identifer
      default_field: false
    - name: gid
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group ID (GID) of the file.
      example: '1001'
    - name: group
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group name of the file.
      example: alice
    - name: hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
    - name: hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
    - name: hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
    - name: hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
    - name: hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: inode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Inode representing the file in the filesystem.
      example: '256383'
    - name: mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: MIME type should identify the format of the file or stream of bytes
        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
        official types], where possible. When more than one type is applicable, the
        most specific type should be used.
      default_field: false
    - name: mode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Mode of the file in octal representation.
      example: '0640'
    - name: mtime
      level: extended
      type: date
      description: Last time the file content was modified.
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the file including the extension, without the directory.
      example: example.png
    - name: owner
      level: extended
      type: keyword
      ignore_above: 1024
      description: File owner's username.
      example: alice
    - name: path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Full path to the file, including the file name. It should include
        the drive letter, when appropriate.
      example: /home/alice/example.png
    - name: pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: size
      level: extended
      type: long
      description: 'File size in bytes.

        Only relevant when `file.type` is "file".'
      example: 16384
    - name: target_path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Target path for symlinks.
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: File type (file, dir, or symlink).
      example: file
    - name: uid
      level: extended
      type: keyword
      ignore_above: 1024
      description: The user ID (UID) or security identifier (SID) of the file owner.
      example: '1001'
    - name: x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
  - name: geo
    title: Geo
    group: 2
    description: 'Geo fields can carry data about a specific location related to an
      event.

      This geolocation information can be derived from techniques such as Geo IP,
      or be user-supplied.'
    type: group
    default_field: true
    fields:
    - name: city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
  - name: group
    title: Group
    group: 2
    description: The group fields are meant to represent groups that are relevant
      to the event.
    type: group
    default_field: true
    fields:
    - name: domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
  - name: hash
    title: Hash
    group: 2
    description: 'The hash fields represent different bitwise hash algorithms and
      their values.

      Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
      other hashes by lowercasing the hash algorithm name and using underscore separators
      as appropriate (snake case, e.g. sha3_512).

      Note that this fieldset is used for common hashes that may be computed over
      a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
      placed in the fieldsets to which they relate (tls and pe, respectively).'
    type: group
    default_field: true
    fields:
    - name: md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
    - name: sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
    - name: sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
    - name: sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
    - name: ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
  - name: host
    title: Host
    group: 2
    description: 'A host is defined as a general computing instance.

      ECS host.* fields should be populated with details about the host on which the
      event happened, or from which the measurement was taken. Host types include
      hardware, virtual machines, Docker containers, and Kubernetes nodes.'
    type: group
    default_field: true
    fields:
    - name: architecture
      level: core
      type: keyword
      ignore_above: 1024
      description: Operating system architecture.
      example: x86_64
    - name: cpu.usage
      level: extended
      type: scaled_float
      description: 'Percent CPU used which is normalized by the number of CPU cores
        and it ranges from 0 to 1.

        Scaling factor: 1000.

        For example: For a two core host, this value should be the average of the
        two cores, between 0 and 1.'
      scaling_factor: 1000
      default_field: false
    - name: disk.read.bytes
      level: extended
      type: long
      description: The total number of bytes (gauge) read successfully (aggregated
        from all disks) since the last metric collection.
      default_field: false
    - name: disk.write.bytes
      level: extended
      type: long
      description: The total number of bytes (gauge) written successfully (aggregated
        from all disks) since the last metric collection.
      default_field: false
    - name: domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the domain of which the host is a member.

        For example, on Windows this could be the host''s Active Directory domain
        or NetBIOS domain name. For Linux this could be the domain of the host''s
        LDAP provider.'
      example: CONTOSO
      default_field: false
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: hostname
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Hostname of the host.

        It normally contains what the `hostname` command returns on the host machine.'
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique host id.

        As hostname is not always unique, use values that are meaningful in your environment.

        Example: The current usage of `beat.name`.'
    - name: ip
      level: core
      type: ip
      description: Host ip addresses.
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Host MAC addresses.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the host.

        It can contain what `hostname` returns on Unix systems, the fully qualified
        domain name, or a name specified by the user. The sender decides which value
        to use.'
    - name: network.egress.bytes
      level: extended
      type: long
      description: The number of bytes (gauge) sent out on all network interfaces
        by the host since the last metric collection.
      default_field: false
    - name: network.egress.packets
      level: extended
      type: long
      description: The number of packets (gauge) sent out on all network interfaces
        by the host since the last metric collection.
      default_field: false
    - name: network.ingress.bytes
      level: extended
      type: long
      description: The number of bytes received (gauge) on all network interfaces
        by the host since the last metric collection.
      default_field: false
    - name: network.ingress.packets
      level: extended
      type: long
      description: The number of packets (gauge) received on all network interfaces
        by the host since the last metric collection.
      default_field: false
    - name: os.family
      level: extended
      type: keyword
      ignore_above: 1024
      description: OS family (such as redhat, debian, freebsd, windows).
      example: debian
    - name: os.full
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, including the version or code name.
      example: Mac OS Mojave
    - name: os.kernel
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system kernel version as a raw string.
      example: 4.4.0-112-generic
    - name: os.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, without the version.
      example: Mac OS X
    - name: os.platform
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system platform (such centos, ubuntu, windows).
      example: darwin
    - name: os.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Use the `os.type` field to categorize the operating system into
        one of the broad commercial families.

        One of these following values should be used (lowercase): linux, macos, unix,
        windows.

        If the OS you''re dealing with is not in the list, the field should not be
        populated. Please let us know by opening an issue with ECS, to propose its
        addition.'
      example: macos
      default_field: false
    - name: os.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system version as a raw string.
      example: 10.14.1
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Type of host.

        For Cloud providers this can be the machine type like `t2.medium`. If vm,
        this could be the container, for example, or other information meaningful
        in your environment.'
    - name: uptime
      level: extended
      type: long
      description: Seconds the host has been up.
      example: 1325
  - name: http
    title: HTTP
    group: 2
    description: Fields related to HTTP activity. Use the `url` field set to store
      the url of the request.
    type: group
    default_field: true
    fields:
    - name: request.body.bytes
      level: extended
      type: long
      format: bytes
      description: Size in bytes of the request body.
      example: 887
    - name: request.body.content
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: The full HTTP request body.
      example: Hello world
    - name: request.bytes
      level: extended
      type: long
      format: bytes
      description: Total size in bytes of the request (body and headers).
      example: 1437
    - name: request.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A unique identifier for each HTTP request to correlate logs between
        clients and servers in transactions.

        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
        or `X-Correlation-ID`.'
      example: 123e4567-e89b-12d3-a456-426614174000
      default_field: false
    - name: request.method
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'HTTP request method.

        The value should retain its casing from the original event. For example, `GET`,
        `get`, and `GeT` are all considered valid values for this field.'
      example: POST
    - name: request.mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Mime type of the body of the request.

        This value must only be populated based on the content of the request body,
        not on the `Content-Type` header. Comparing the mime type of a request with
        the request''s Content-Type header can be helpful in detecting threats or
        misconfigured clients.'
      example: image/gif
      default_field: false
    - name: request.referrer
      level: extended
      type: keyword
      ignore_above: 1024
      description: Referrer for this HTTP request.
      example: https://blog.example.com/
    - name: response.body.bytes
      level: extended
      type: long
      format: bytes
      description: Size in bytes of the response body.
      example: 887
    - name: response.body.content
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: The full HTTP response body.
      example: Hello world
    - name: response.bytes
      level: extended
      type: long
      format: bytes
      description: Total size in bytes of the response (body and headers).
      example: 1437
    - name: response.mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Mime type of the body of the response.

        This value must only be populated based on the content of the response body,
        not on the `Content-Type` header. Comparing the mime type of a response with
        the response''s Content-Type header can be helpful in detecting misconfigured
        servers.'
      example: image/gif
      default_field: false
    - name: response.status_code
      level: extended
      type: long
      format: string
      description: HTTP response status code.
      example: 404
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: HTTP version.
      example: 1.1
  - name: interface
    title: Interface
    group: 2
    description: The interface fields are used to record ingress and egress interface
      information when reported by an observer (e.g. firewall, router, load balancer)
      in the context of the observer handling a network connection.  In the case of
      a single observer interface (e.g. network sensor on a span port) only the observer.ingress
      information should be populated.
    type: group
    default_field: true
    fields:
    - name: alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface alias as reported by the system, typically used in firewall
        implementations for e.g. inside, outside, or dmz logical interface naming.
      example: outside
      default_field: false
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface ID as reported by an observer (typically SNMP interface
        ID).
      example: 10
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface name as reported by the system.
      example: eth0
      default_field: false
  - name: log
    title: Log
    group: 2
    description: 'Details about the event''s logging mechanism or logging transport.

      The log.* fields are typically populated with details about the logging mechanism
      used to create and/or transport the event. For example, syslog details belong
      under `log.syslog.*`.

      The details specific to your event source are typically not logged under `log.*`,
      but rather in `event.*` or in other ECS fields.'
    type: group
    default_field: true
    fields:
    - name: file.path
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Full path to the log file this event came from, including the
        file name. It should include the drive letter, when appropriate.

        If the event wasn''t read from a log file, do not populate this field.'
      example: /var/log/fun-times.log
      default_field: false
    - name: level
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Original log level of the log event.

        If the source of the event provides a log level or textual severity, this
        is the one that goes in `log.level`. If your source doesn''t specify one,
        you may put your event transport''s severity here (e.g. Syslog severity).

        Some examples are `warn`, `err`, `i`, `informational`.'
      example: error
    - name: logger
      level: core
      type: keyword
      ignore_above: 1024
      description: The name of the logger inside an application. This is usually the
        name of the class which initialized the logger, or can be a custom name.
      example: org.elasticsearch.bootstrap.Bootstrap
    - name: origin.file.line
      level: extended
      type: long
      description: The line number of the file containing the source code which originated
        the log event.
      example: 42
    - name: origin.file.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The name of the file containing the source code which originated
        the log event.

        Note that this field is not meant to capture the log file. The correct field
        to capture the log file is `log.file.path`.'
      example: Bootstrap.java
    - name: origin.function
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the function or method which originated the log event.
      example: init
    - name: syslog
      level: extended
      type: object
      description: The Syslog metadata of the event, if the event was transmitted
        via Syslog. Please see RFCs 5424 or 3164.
    - name: syslog.facility.code
      level: extended
      type: long
      format: string
      description: 'The Syslog numeric facility of the log event, if available.

        According to RFCs 5424 and 3164, this value should be an integer between 0
        and 23.'
      example: 23
    - name: syslog.facility.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: The Syslog text-based facility of the log event, if available.
      example: local7
    - name: syslog.priority
      level: extended
      type: long
      format: string
      description: 'Syslog numeric priority of the event, if available.

        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
        This number is therefore expected to contain a value between 0 and 191.'
      example: 135
    - name: syslog.severity.code
      level: extended
      type: long
      description: 'The Syslog numeric severity of the log event, if available.

        If the event source publishing via Syslog provides a different numeric severity
        value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`.
        If the event source does not specify a distinct severity, you can optionally
        copy the Syslog severity to `event.severity`.'
      example: 3
    - name: syslog.severity.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The Syslog numeric severity of the log event, if available.

        If the event source publishing via Syslog provides a different severity value
        (e.g. firewall, IDS), your source''s text severity should go to `log.level`.
        If the event source does not specify a distinct severity, you can optionally
        copy the Syslog severity to `log.level`.'
      example: Error
  - name: network
    title: Network
    group: 2
    description: 'The network is defined as the communication path over which a host
      or network event happens.

      The network.* fields should be populated with details about the network activity
      associated with an event.'
    type: group
    default_field: true
    fields:
    - name: application
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'When a specific application or service is identified from network
        connection details (source/dest IPs, ports, certificates, or wire format),
        this field captures the application''s or service''s name.

        For example, the original event identifies the network connection being from
        a specific web service in a `https` network connection, like `facebook` or
        `twitter`.

        The field value must be normalized to lowercase for querying.'
      example: aim
    - name: bytes
      level: core
      type: long
      format: bytes
      description: 'Total bytes transferred in both directions.

        If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
        sum.'
      example: 368
    - name: community_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of source and destination IPs and ports, as well as the
        protocol used in a communication. This is a tool-agnostic standard to identify
        flows.

        Learn more at https://github.com/corelight/community-id-spec.'
      example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
    - name: direction
      level: core
      type: keyword
      ignore_above: 1024
      description: "Direction of the network traffic.\nRecommended values are:\n \
        \ * ingress\n  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n\
        \  * unknown\n\nWhen mapping events from a host-based monitoring context,\
        \ populate this field from the host's point of view, using the values \"ingress\"\
        \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\
        \ context, populate this field from the point of view of the network perimeter,\
        \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\
        .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\
        \ to describe communication between two hosts within the perimeter. Note also\
        \ that \"external\" is meant to describe traffic between two hosts that are\
        \ external to the perimeter. This could for example be useful for ISPs or\
        \ VPN service providers."
      example: inbound
    - name: forwarded_ip
      level: core
      type: ip
      description: Host IP address when the source IP address is the proxy.
      example: 192.1.1.2
    - name: iana_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
        Standardized list of protocols. This aligns well with NetFlow and sFlow related
        logs which use the IANA Protocol Number.
      example: 6
    - name: inner
      level: extended
      type: object
      description: Network.inner fields are added in addition to network.vlan fields
        to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
        fields include vlan.id and vlan.name. Inner vlan fields are typically used
        when sending traffic with multiple 802.1q encapsulations to a network sensor
        (e.g. Zeek, Wireshark.)
      default_field: false
    - name: inner.vlan.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: inner.vlan.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name given by operators to sections of their network.
      example: Guest Wifi
    - name: packets
      level: core
      type: long
      description: 'Total packets transferred in both directions.

        If `source.packets` and `destination.packets` are known, `network.packets`
        is their sum.'
      example: 24
    - name: protocol
      level: core
      type: keyword
      ignore_above: 1024
      description: 'In the OSI Model this would be the Application Layer protocol.
        For example, `http`, `dns`, or `ssh`.

        The field value must be normalized to lowercase for querying.'
      example: http
    - name: transport
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Same as network.iana_number, but instead using the Keyword name
        of the transport layer (udp, tcp, ipv6-icmp, etc.)

        The field value must be normalized to lowercase for querying.'
      example: tcp
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
        ipsec, pim, etc

        The field value must be normalized to lowercase for querying.'
      example: ipv4
    - name: vlan.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: vlan.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
  - name: observer
    title: Observer
    group: 2
    description: 'An observer is defined as a special network, security, or application
      device used to detect, observe, or create network, security, or application-related
      events and metrics.

      This could be a custom hardware appliance or a server that has been configured
      to run special network, security, or application software. Examples include
      firewalls, web proxies, intrusion detection/prevention systems, network monitoring
      sensors, web application firewalls, data loss prevention systems, and APM servers.
      The observer.* fields shall be populated with details of the system, if any,
      that detects, observes and/or creates a network, security, or application event
      or metric. Message queues and ETL components used in processing events or metrics
      are not considered observers in ECS.'
    type: group
    default_field: true
    fields:
    - name: egress
      level: extended
      type: object
      description: Observer.egress holds information like interface number and name,
        vlan, and zone information to classify egress traffic.  Single armed monitoring
        such as a network sensor on a span port should only use observer.ingress to
        categorize traffic.
      default_field: false
    - name: egress.interface.alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface alias as reported by the system, typically used in firewall
        implementations for e.g. inside, outside, or dmz logical interface naming.
      example: outside
      default_field: false
    - name: egress.interface.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface ID as reported by an observer (typically SNMP interface
        ID).
      example: 10
      default_field: false
    - name: egress.interface.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface name as reported by the system.
      example: eth0
      default_field: false
    - name: egress.vlan.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: egress.vlan.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
    - name: egress.zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Network zone of outbound traffic as reported by the observer to
        categorize the destination area of egress traffic, e.g. Internal, External,
        DMZ, HR, Legal, etc.
      example: Public_Internet
      default_field: false
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: hostname
      level: core
      type: keyword
      ignore_above: 1024
      description: Hostname of the observer.
    - name: ingress
      level: extended
      type: object
      description: Observer.ingress holds information like interface number and name,
        vlan, and zone information to classify ingress traffic.  Single armed monitoring
        such as a network sensor on a span port should only use observer.ingress to
        categorize traffic.
      default_field: false
    - name: ingress.interface.alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface alias as reported by the system, typically used in firewall
        implementations for e.g. inside, outside, or dmz logical interface naming.
      example: outside
      default_field: false
    - name: ingress.interface.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface ID as reported by an observer (typically SNMP interface
        ID).
      example: 10
      default_field: false
    - name: ingress.interface.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface name as reported by the system.
      example: eth0
      default_field: false
    - name: ingress.vlan.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: ingress.vlan.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
    - name: ingress.zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Network zone of incoming traffic as reported by the observer to
        categorize the source area of ingress traffic. e.g. internal, External, DMZ,
        HR, Legal, etc.
      example: DMZ
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP addresses of the observer.
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC addresses of the observer.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Custom name of the observer.

        This is a name that can be given to an observer. This can be helpful for example
        if multiple firewalls of the same model are used in an organization.

        If no custom name is needed, the field can be left empty.'
      example: 1_proxySG
    - name: os.family
      level: extended
      type: keyword
      ignore_above: 1024
      description: OS family (such as redhat, debian, freebsd, windows).
      example: debian
    - name: os.full
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, including the version or code name.
      example: Mac OS Mojave
    - name: os.kernel
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system kernel version as a raw string.
      example: 4.4.0-112-generic
    - name: os.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, without the version.
      example: Mac OS X
    - name: os.platform
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system platform (such centos, ubuntu, windows).
      example: darwin
    - name: os.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Use the `os.type` field to categorize the operating system into
        one of the broad commercial families.

        One of these following values should be used (lowercase): linux, macos, unix,
        windows.

        If the OS you''re dealing with is not in the list, the field should not be
        populated. Please let us know by opening an issue with ECS, to propose its
        addition.'
      example: macos
      default_field: false
    - name: os.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system version as a raw string.
      example: 10.14.1
    - name: product
      level: extended
      type: keyword
      ignore_above: 1024
      description: The product name of the observer.
      example: s200
    - name: serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Observer serial number.
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The type of the observer the data is coming from.

        There is no predefined list of observer types. Some examples are `forwarder`,
        `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.'
      example: firewall
    - name: vendor
      level: core
      type: keyword
      ignore_above: 1024
      description: Vendor name of the observer.
      example: Symantec
    - name: version
      level: core
      type: keyword
      ignore_above: 1024
      description: Observer version.
  - name: orchestrator
    title: Orchestrator
    group: 2
    description: Fields that describe the resources which container orchestrators
      manage or act upon.
    type: group
    default_field: true
    fields:
    - name: api_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: API version being used to carry out the action
      example: v1beta1
      default_field: false
    - name: cluster.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the cluster.
      default_field: false
    - name: cluster.url
      level: extended
      type: keyword
      ignore_above: 1024
      description: URL of the API used to manage the cluster.
      default_field: false
    - name: cluster.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: The version of the cluster.
      default_field: false
    - name: namespace
      level: extended
      type: keyword
      ignore_above: 1024
      description: Namespace in which the action is taking place.
      example: kube-system
      default_field: false
    - name: organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: Organization affected by the event (for multi-tenant orchestrator
        setups).
      example: elastic
      default_field: false
    - name: resource.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the resource being acted upon.
      example: test-pod-cdcws
      default_field: false
    - name: resource.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Type of resource being acted upon.
      example: service
      default_field: false
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
      example: kubernetes
      default_field: false
  - name: organization
    title: Organization
    group: 2
    description: 'The organization fields enrich data with information about the company
      or entity the data is associated with.

      These fields help you arrange or filter data stored in an index by one or multiple
      organizations.'
    type: group
    default_field: true
    fields:
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the organization.
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
  - name: os
    title: Operating System
    group: 2
    description: The OS fields contain information about the operating system.
    type: group
    default_field: true
    fields:
    - name: family
      level: extended
      type: keyword
      ignore_above: 1024
      description: OS family (such as redhat, debian, freebsd, windows).
      example: debian
    - name: full
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, including the version or code name.
      example: Mac OS Mojave
    - name: kernel
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system kernel version as a raw string.
      example: 4.4.0-112-generic
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, without the version.
      example: Mac OS X
    - name: platform
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system platform (such centos, ubuntu, windows).
      example: darwin
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Use the `os.type` field to categorize the operating system into
        one of the broad commercial families.

        One of these following values should be used (lowercase): linux, macos, unix,
        windows.

        If the OS you''re dealing with is not in the list, the field should not be
        populated. Please let us know by opening an issue with ECS, to propose its
        addition.'
      example: macos
      default_field: false
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system version as a raw string.
      example: 10.14.1
  - name: package
    title: Package
    group: 2
    description: These fields contain information about an installed software package.
      It contains general information about a package, such as name, version or size.
      It also contains installation details, such as time or location.
    type: group
    default_field: true
    fields:
    - name: architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Package architecture.
      example: x86_64
    - name: build_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the build version of the installed
        package.

        For example use the commit SHA of a non-released package.'
      example: 36f4f7e89dd61b0988b12ee000b98966867710cd
      default_field: false
    - name: checksum
      level: extended
      type: keyword
      ignore_above: 1024
      description: Checksum of the installed package for verification.
      example: 68b329da9893e34099c7d8ad5cb9c940
    - name: description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Description of the package.
      example: Open source programming language to build simple/reliable/efficient
        software.
    - name: install_scope
      level: extended
      type: keyword
      ignore_above: 1024
      description: Indicating how the package was installed, e.g. user-local, global.
      example: global
    - name: installed
      level: extended
      type: date
      description: Time when package was installed.
    - name: license
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'License under which the package was released.

        Use a short name, e.g. the license identifier from SPDX License List where
        possible (https://spdx.org/licenses/).'
      example: Apache License 2.0
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Package name
      example: go
    - name: path
      level: extended
      type: keyword
      ignore_above: 1024
      description: Path where the package is installed.
      example: /usr/local/Cellar/go/1.12.9/
    - name: reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: Home page or reference URL of the software in this package, if
        available.
      example: https://golang.org
      default_field: false
    - name: size
      level: extended
      type: long
      format: string
      description: Package size in bytes.
      example: 62231
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Type of package.

        This should contain the package file type, rather than the package manager
        name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
      example: rpm
      default_field: false
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Package version
      example: 1.12.9
  - name: pe
    title: PE Header
    group: 2
    description: These fields contain Windows Portable Executable (PE) metadata.
    type: group
    default_field: true
    fields:
    - name: architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
  - name: process
    title: Process
    group: 2
    description: 'These fields contain information about a process.

      These fields can help you correlate metrics information with a process id/name
      from a log message.  The `process.pid` often stays in the metric itself and
      is copied to the global field for correlation.'
    type: group
    default_field: true
    fields:
    - name: args
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of process arguments, starting with the absolute path to
        the executable.

        May be filtered to protect sensitive information.'
      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
    - name: args_count
      level: extended
      type: long
      description: 'Length of the process.args array.

        This field can be useful for querying or performing bucket analysis on how
        many arguments were provided to start a process. More arguments may be an
        indication of suspicious activity.'
      example: 4
      default_field: false
    - name: code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: command_line
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Full command line that started the process, including the absolute
        path to the executable, and all arguments.

        Some arguments may be filtered to protect sensitive information.'
      example: /usr/bin/ssh -l user 10.0.0.16
      default_field: false
    - name: elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: end
      level: extended
      type: date
      description: The time the process ended.
      example: '2016-05-23T08:05:34.853Z'
      default_field: false
    - name: entity_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier for the process.

        The implementation of this is specified by the data source, but some examples
        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
        or a hash of some uniquely identifying components of a process.

        Constructing a globally unique identifier is a common practice to mitigate
        PID reuse as well as to identify a specific process over time, across multiple
        monitored hosts.'
      example: c2c455d9f99375d
      default_field: false
    - name: executable
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Absolute path to the process executable.
      example: /usr/bin/ssh
    - name: exit_code
      level: extended
      type: long
      description: 'The exit code of the process, if this is a termination event.

        The field should be absent if there is no exit code for the event (e.g. process
        start).'
      example: 137
      default_field: false
    - name: hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
    - name: hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
    - name: hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
    - name: hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
    - name: hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: 'Process name.

        Sometimes called program name or similar.'
      example: ssh
    - name: parent.args
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of process arguments, starting with the absolute path to
        the executable.

        May be filtered to protect sensitive information.'
      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
      default_field: false
    - name: parent.args_count
      level: extended
      type: long
      description: 'Length of the process.args array.

        This field can be useful for querying or performing bucket analysis on how
        many arguments were provided to start a process. More arguments may be an
        indication of suspicious activity.'
      example: 4
      default_field: false
    - name: parent.code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: parent.code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: parent.code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: parent.code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: parent.code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: parent.code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: parent.code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: parent.code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: parent.code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: parent.command_line
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Full command line that started the process, including the absolute
        path to the executable, and all arguments.

        Some arguments may be filtered to protect sensitive information.'
      example: /usr/bin/ssh -l user 10.0.0.16
      default_field: false
    - name: parent.elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: parent.elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: parent.elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: parent.elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: parent.elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: parent.elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: parent.elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: parent.elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: parent.elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: parent.elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: parent.elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: parent.elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: parent.elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: parent.elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: parent.elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: parent.elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: parent.elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: parent.elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: parent.elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: parent.elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: parent.elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: parent.elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: parent.elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: parent.elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: parent.elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: parent.elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: parent.elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: parent.elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: parent.elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: parent.end
      level: extended
      type: date
      description: The time the process ended.
      example: '2016-05-23T08:05:34.853Z'
      default_field: false
    - name: parent.entity_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier for the process.

        The implementation of this is specified by the data source, but some examples
        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
        or a hash of some uniquely identifying components of a process.

        Constructing a globally unique identifier is a common practice to mitigate
        PID reuse as well as to identify a specific process over time, across multiple
        monitored hosts.'
      example: c2c455d9f99375d
      default_field: false
    - name: parent.executable
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Absolute path to the process executable.
      example: /usr/bin/ssh
      default_field: false
    - name: parent.exit_code
      level: extended
      type: long
      description: 'The exit code of the process, if this is a termination event.

        The field should be absent if there is no exit code for the event (e.g. process
        start).'
      example: 137
      default_field: false
    - name: parent.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
      default_field: false
    - name: parent.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
      default_field: false
    - name: parent.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
      default_field: false
    - name: parent.hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
      default_field: false
    - name: parent.hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: parent.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Process name.

        Sometimes called program name or similar.'
      example: ssh
      default_field: false
    - name: parent.pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: parent.pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: parent.pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: parent.pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: parent.pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: parent.pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: parent.pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: parent.pgid
      level: extended
      type: long
      format: string
      description: Identifier of the group of processes the process belongs to.
      default_field: false
    - name: parent.pid
      level: core
      type: long
      format: string
      description: Process id.
      example: 4242
      default_field: false
    - name: parent.start
      level: extended
      type: date
      description: The time the process started.
      example: '2016-05-23T08:05:34.853Z'
      default_field: false
    - name: parent.thread.id
      level: extended
      type: long
      format: string
      description: Thread ID.
      example: 4242
      default_field: false
    - name: parent.thread.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Thread name.
      example: thread-0
      default_field: false
    - name: parent.title
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Process title.

        The proctitle, some times the same as process name. Can also be different:
        for example a browser setting its title to the web page currently opened.'
      default_field: false
    - name: parent.uptime
      level: extended
      type: long
      description: Seconds the process has been up.
      example: 1325
      default_field: false
    - name: parent.working_directory
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: The working directory of the process.
      example: /home/alice
      default_field: false
    - name: pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: pgid
      level: extended
      type: long
      format: string
      description: Identifier of the group of processes the process belongs to.
    - name: pid
      level: core
      type: long
      format: string
      description: Process id.
      example: 4242
    - name: start
      level: extended
      type: date
      description: The time the process started.
      example: '2016-05-23T08:05:34.853Z'
    - name: thread.id
      level: extended
      type: long
      format: string
      description: Thread ID.
      example: 4242
    - name: thread.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Thread name.
      example: thread-0
    - name: title
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: 'Process title.

        The proctitle, some times the same as process name. Can also be different:
        for example a browser setting its title to the web page currently opened.'
    - name: uptime
      level: extended
      type: long
      description: Seconds the process has been up.
      example: 1325
    - name: working_directory
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: The working directory of the process.
      example: /home/alice
  - name: registry
    title: Registry
    group: 2
    description: Fields related to Windows Registry operations.
    type: group
    default_field: true
    fields:
    - name: data.bytes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Original bytes written with base64 encoding.

        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
        corresponds to the data pointed by `lp_data`. This is optional but provides
        better recoverability and should be populated for REG_BINARY encoded values.'
      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
      default_field: false
    - name: data.strings
      level: core
      type: wildcard
      description: 'Content when writing string types.

        Populated as an array when writing string data to the registry. For single
        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
        one string. For sequences of string with REG_MULTI_SZ, this array will be
        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
        be populated with the decimal representation (e.g `"1"`).'
      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
      default_field: false
    - name: data.type
      level: core
      type: keyword
      ignore_above: 1024
      description: Standard registry type for encoding contents
      example: REG_SZ
      default_field: false
    - name: hive
      level: core
      type: keyword
      ignore_above: 1024
      description: Abbreviated name for the hive.
      example: HKLM
      default_field: false
    - name: key
      level: core
      type: keyword
      ignore_above: 1024
      description: Hive-relative path of keys.
      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
      default_field: false
    - name: path
      level: core
      type: keyword
      ignore_above: 1024
      description: Full path, including hive, key and value
      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
        Options\winword.exe\Debugger
      default_field: false
    - name: value
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the value written.
      example: Debugger
      default_field: false
  - name: related
    title: Related
    group: 2
    description: 'This field set is meant to facilitate pivoting around a piece of
      data.

      Some pieces of information can be seen in many places in an ECS event. To facilitate
      searching for them, store an array of all seen values to their corresponding
      field in `related.`.

      A concrete example is IP addresses, which can be under host, observer, source,
      destination, client, server, and network.forwarded_ip. If you append all IPs
      to `related.ip`, you can then search for a given IP trivially, no matter where
      it appeared, by querying `related.ip:192.0.2.15`.'
    type: group
    default_field: true
    fields:
    - name: hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: All the hashes seen on your event. Populating this field, then
        using it to search for hashes can help in situations where you're unsure what
        the hash algorithm is (and therefore which key name to search).
      default_field: false
    - name: hosts
      level: extended
      type: keyword
      ignore_above: 1024
      description: All hostnames or other host identifiers seen on your event. Example
        identifiers include FQDNs, domain names, workstation names, or aliases.
      default_field: false
    - name: ip
      level: extended
      type: ip
      description: All of the IPs seen on your event.
    - name: user
      level: extended
      type: keyword
      ignore_above: 1024
      description: All the user names or other user identifiers seen on the event.
      default_field: false
  - name: rule
    title: Rule
    group: 2
    description: 'Rule fields are used to capture the specifics of any observer or
      agent rules that generate alerts or other notable events.

      Examples of data sources that would populate the rule fields include: network
      admission control platforms, network or host IDS/IPS, network firewalls, web
      application firewalls, url filters, endpoint detection and response (EDR) systems,
      etc.'
    type: group
    default_field: true
    fields:
    - name: author
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name, organization, or pseudonym of the author or authors who created
        the rule used to generate this event.
      example: '["Star-Lord"]'
      default_field: false
    - name: category
      level: extended
      type: keyword
      ignore_above: 1024
      description: A categorization value keyword used by the entity using the rule
        for detection of this event.
      example: Attempted Information Leak
      default_field: false
    - name: description
      level: extended
      type: keyword
      ignore_above: 1024
      description: The description of the rule generating the event.
      example: Block requests to public DNS over HTTPS / TLS protocols
      default_field: false
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: A rule ID that is unique within the scope of an agent, observer,
        or other entity using the rule for detection of this event.
      example: 101
      default_field: false
    - name: license
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the license under which the rule used to generate this
        event is made available.
      example: Apache 2.0
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the rule or signature generating the event.
      example: BLOCK_DNS_over_TLS
      default_field: false
    - name: reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Reference URL to additional information about the rule used to
        generate this event.

        The URL can point to the vendor''s documentation about the rule. If that''s
        not available, it can also be a link to a more general page describing this
        type of alert.'
      example: https://en.wikipedia.org/wiki/DNS_over_TLS
      default_field: false
    - name: ruleset
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the ruleset, policy, group, or parent category in which
        the rule used to generate this event is a member.
      example: Standard_Protocol_Filters
      default_field: false
    - name: uuid
      level: extended
      type: keyword
      ignore_above: 1024
      description: A rule ID that is unique within the scope of a set or group of
        agents, observers, or other entities using the rule for detection of this
        event.
      example: 1100110011
      default_field: false
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: The version / revision of the rule being used for analysis.
      example: 1.1
      default_field: false
  - name: server
    title: Server
    group: 2
    description: 'A Server is defined as the responder in a network connection for
      events regarding sessions, connections, or bidirectional flow records.

      For TCP events, the server is the receiver of the initial SYN packet(s) of the
      TCP connection. For other protocols, the server is generally the responder in
      the network transaction. Some systems actually use the term "responder" to refer
      the server in TCP connections. The server fields describe details about the
      system acting as the server in the network event. Server fields are usually
      populated in conjunction with client fields. Server fields are generally not
      populated for packet-level events.

      Client / server representations can add semantic context to an exchange, which
      is helpful to visualize the data in certain situations. If your context falls
      in that category, you should still ensure that source and destination are filled
      appropriately.'
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Some event server addresses are defined ambiguously. The event
        will sometimes list an IP, a domain or a unix socket.  You should always store
        the raw address in the `.address` field.

        Then it should be duplicated to `.ip` or `.domain`, depending on which one
        it is.'
    - name: as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
    - name: bytes
      level: core
      type: long
      format: bytes
      description: Bytes sent from the server to the client.
      example: 184
    - name: domain
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The domain name of the server system.

        This value may be a host name, a fully qualified domain name, or another host
        naming format. The value may derive from the original event or be added from
        enrichment.'
      example: foo.example.com
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP address of the server (IPv4 or IPv6).
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC address of the server.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: 00-00-5E-00-53-23
    - name: nat.ip
      level: extended
      type: ip
      description: 'Translated ip of destination based NAT sessions (e.g. internet
        to private DMZ)

        Typically used with load balancers, firewalls, or routers.'
    - name: nat.port
      level: extended
      type: long
      format: string
      description: 'Translated port of destination based NAT sessions (e.g. internet
        to private DMZ)

        Typically used with load balancers, firewalls, or routers.'
    - name: packets
      level: core
      type: long
      description: Packets sent from the server to the client.
      example: 12
    - name: port
      level: core
      type: long
      format: string
      description: Port of the server.
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered server domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: user.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: user.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: user.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: user.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: user.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: user.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: user.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: user.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: service
    title: Service
    group: 2
    description: 'The service fields describe the service for or from which the data
      was collected.

      These fields help you find and correlate logs for a specific service and version.'
    footnote: The service fields may be self-nested under service.origin.* and service.target.*  to
      describe origin or target services in the context of incoming or outgoing requests,  respectively.
      However, the fieldsets service.origin.* and service.target.* must not be confused
      with  the root service fieldset that is used to describe the actual service
      under observation. The fieldset service.origin.* may only be used in the context
      of incoming requests or  events to describe the originating service of the request.
      The fieldset service.target.*  may only be used in the context of outgoing requests
      or events to describe the target  service of the request.
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Address where data about this service was collected from.

        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
        path (sockets).'
      example: 172.26.0.2:5432
      default_field: false
    - name: environment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Identifies the environment where the service is running.

        If the same service runs in different environments (production, staging, QA,
        development, etc.), the environment can identify other instances of the same
        service. Can also group services and applications from the same environment.'
      example: production
      default_field: false
    - name: ephemeral_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Ephemeral identifier of this service (if one exists).

        This id normally changes across restarts, but `service.id` does not.'
      example: 8a4f500f
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier of the running service. If the service is comprised
        of many nodes, the `service.id` should be the same for all nodes.

        This id should uniquely identify the service. This makes it possible to correlate
        logs and metrics for one specific service, no matter which particular node
        emitted the event.

        Note that if you need to see the events from one specific host of the service,
        you should filter on that `host.name` or `host.id` instead.'
      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the service data is collected from.

        The name of the service is normally user given. This allows for distributed
        services that run on multiple hosts to correlate the related instances based
        on the name.

        In the case of Elasticsearch the `service.name` could contain the cluster
        name. For Beats the `service.name` is by default a copy of the `service.type`
        field if no name is specified.'
      example: elasticsearch-metrics
    - name: node.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of a service node.

        This allows for two nodes of the same service running on the same host to
        be differentiated. Therefore, `service.node.name` should typically be unique
        across nodes of a given service.

        In the case of Elasticsearch, the `service.node.name` could contain the unique
        node name within the Elasticsearch cluster. In cases where the service doesn''t
        have the concept of a node name, the host name or container name can be used
        to distinguish running instances that make up this service. If those do not
        provide uniqueness (e.g. multiple instances of the service running on the
        same host) - the node name can be manually set.'
      example: instance-0000000016
    - name: origin.address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Address where data about this service was collected from.

        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
        path (sockets).'
      example: 172.26.0.2:5432
      default_field: false
    - name: origin.environment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Identifies the environment where the service is running.

        If the same service runs in different environments (production, staging, QA,
        development, etc.), the environment can identify other instances of the same
        service. Can also group services and applications from the same environment.'
      example: production
      default_field: false
    - name: origin.ephemeral_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Ephemeral identifier of this service (if one exists).

        This id normally changes across restarts, but `service.id` does not.'
      example: 8a4f500f
      default_field: false
    - name: origin.id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier of the running service. If the service is comprised
        of many nodes, the `service.id` should be the same for all nodes.

        This id should uniquely identify the service. This makes it possible to correlate
        logs and metrics for one specific service, no matter which particular node
        emitted the event.

        Note that if you need to see the events from one specific host of the service,
        you should filter on that `host.name` or `host.id` instead.'
      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
      default_field: false
    - name: origin.name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the service data is collected from.

        The name of the service is normally user given. This allows for distributed
        services that run on multiple hosts to correlate the related instances based
        on the name.

        In the case of Elasticsearch the `service.name` could contain the cluster
        name. For Beats the `service.name` is by default a copy of the `service.type`
        field if no name is specified.'
      example: elasticsearch-metrics
      default_field: false
    - name: origin.node.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of a service node.

        This allows for two nodes of the same service running on the same host to
        be differentiated. Therefore, `service.node.name` should typically be unique
        across nodes of a given service.

        In the case of Elasticsearch, the `service.node.name` could contain the unique
        node name within the Elasticsearch cluster. In cases where the service doesn''t
        have the concept of a node name, the host name or container name can be used
        to distinguish running instances that make up this service. If those do not
        provide uniqueness (e.g. multiple instances of the service running on the
        same host) - the node name can be manually set.'
      example: instance-0000000016
      default_field: false
    - name: origin.state
      level: core
      type: keyword
      ignore_above: 1024
      description: Current state of the service.
      default_field: false
    - name: origin.type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The type of the service data is collected from.

        The type can be used to group and correlate logs and metrics from one service
        type.

        Example: If logs or metrics are collected from Elasticsearch, `service.type`
        would be `elasticsearch`.'
      example: elasticsearch
      default_field: false
    - name: origin.version
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Version of the service the data was collected from.

        This allows to look at a data set only for a specific version of a service.'
      example: 3.2.4
      default_field: false
    - name: state
      level: core
      type: keyword
      ignore_above: 1024
      description: Current state of the service.
    - name: target.address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Address where data about this service was collected from.

        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
        path (sockets).'
      example: 172.26.0.2:5432
      default_field: false
    - name: target.environment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Identifies the environment where the service is running.

        If the same service runs in different environments (production, staging, QA,
        development, etc.), the environment can identify other instances of the same
        service. Can also group services and applications from the same environment.'
      example: production
      default_field: false
    - name: target.ephemeral_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Ephemeral identifier of this service (if one exists).

        This id normally changes across restarts, but `service.id` does not.'
      example: 8a4f500f
      default_field: false
    - name: target.id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier of the running service. If the service is comprised
        of many nodes, the `service.id` should be the same for all nodes.

        This id should uniquely identify the service. This makes it possible to correlate
        logs and metrics for one specific service, no matter which particular node
        emitted the event.

        Note that if you need to see the events from one specific host of the service,
        you should filter on that `host.name` or `host.id` instead.'
      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
      default_field: false
    - name: target.name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the service data is collected from.

        The name of the service is normally user given. This allows for distributed
        services that run on multiple hosts to correlate the related instances based
        on the name.

        In the case of Elasticsearch the `service.name` could contain the cluster
        name. For Beats the `service.name` is by default a copy of the `service.type`
        field if no name is specified.'
      example: elasticsearch-metrics
      default_field: false
    - name: target.node.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of a service node.

        This allows for two nodes of the same service running on the same host to
        be differentiated. Therefore, `service.node.name` should typically be unique
        across nodes of a given service.

        In the case of Elasticsearch, the `service.node.name` could contain the unique
        node name within the Elasticsearch cluster. In cases where the service doesn''t
        have the concept of a node name, the host name or container name can be used
        to distinguish running instances that make up this service. If those do not
        provide uniqueness (e.g. multiple instances of the service running on the
        same host) - the node name can be manually set.'
      example: instance-0000000016
      default_field: false
    - name: target.state
      level: core
      type: keyword
      ignore_above: 1024
      description: Current state of the service.
      default_field: false
    - name: target.type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The type of the service data is collected from.

        The type can be used to group and correlate logs and metrics from one service
        type.

        Example: If logs or metrics are collected from Elasticsearch, `service.type`
        would be `elasticsearch`.'
      example: elasticsearch
      default_field: false
    - name: target.version
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Version of the service the data was collected from.

        This allows to look at a data set only for a specific version of a service.'
      example: 3.2.4
      default_field: false
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The type of the service data is collected from.

        The type can be used to group and correlate logs and metrics from one service
        type.

        Example: If logs or metrics are collected from Elasticsearch, `service.type`
        would be `elasticsearch`.'
      example: elasticsearch
    - name: version
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Version of the service the data was collected from.

        This allows to look at a data set only for a specific version of a service.'
      example: 3.2.4
  - name: source
    title: Source
    group: 2
    description: 'Source fields capture details about the sender of a network exchange/packet.
      These fields are populated from a network event, packet, or other event containing
      details of a network transaction.

      Source fields are usually populated in conjunction with destination fields.
      The source and destination fields are considered the baseline and should always
      be filled if an event contains source and destination details from a network
      transaction. If the event also contains identification of the client and server
      roles, then the client and server fields should also be populated.'
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Some event source addresses are defined ambiguously. The event
        will sometimes list an IP, a domain or a unix socket.  You should always store
        the raw address in the `.address` field.

        Then it should be duplicated to `.ip` or `.domain`, depending on which one
        it is.'
    - name: as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
    - name: bytes
      level: core
      type: long
      format: bytes
      description: Bytes sent from the source to the destination.
      example: 184
    - name: domain
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The domain name of the source system.

        This value may be a host name, a fully qualified domain name, or another host
        naming format. The value may derive from the original event or be added from
        enrichment.'
      example: foo.example.com
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP address of the source (IPv4 or IPv6).
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC address of the source.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: 00-00-5E-00-53-23
    - name: nat.ip
      level: extended
      type: ip
      description: 'Translated ip of source based NAT sessions (e.g. internal client
        to internet)

        Typically connections traversing load balancers, firewalls, or routers.'
    - name: nat.port
      level: extended
      type: long
      format: string
      description: 'Translated port of source based NAT sessions. (e.g. internal client
        to internet)

        Typically used with load balancers, firewalls, or routers.'
    - name: packets
      level: core
      type: long
      description: Packets sent from the source to the destination.
      example: 12
    - name: port
      level: core
      type: long
      format: string
      description: Port of the source.
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered source domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: user.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: user.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: user.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: user.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: user.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: user.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: user.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: user.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: threat
    title: Threat
    group: 2
    description: "Fields to classify events and alerts according to a threat taxonomy\
      \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
      \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
      \ The threat.tactic.* fields are meant to capture the high level category of\
      \ the threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture\
      \ which kind of approach is used by this detected threat, to accomplish the\
      \ goal (e.g. \"endpoint denial of service\")."
    type: group
    default_field: true
    fields:
    - name: enrichments
      level: extended
      type: nested
      description: A list of associated indicators objects enriching the event, and
        the context of that association/enrichment.
      default_field: false
    - name: enrichments.indicator
      level: extended
      type: object
      description: Object containing associated indicators enriching the event.
      default_field: false
    - name: enrichments.indicator.as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
      default_field: false
    - name: enrichments.indicator.as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Organization name.
      example: Google LLC
      default_field: false
    - name: enrichments.indicator.confidence
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
        \ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
        \ Vendor-specific confidence scales may be added as custom fields.\nExpected\
        \ values are:\n  * Not Specified\n  * None\n  * Low\n  * Medium\n  * High"
      example: Medium
      default_field: false
    - name: enrichments.indicator.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Describes the type of action conducted by the threat.
      example: IP x.x.x.x was observed delivering the Angler EK.
      default_field: false
    - name: enrichments.indicator.email.address
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies a threat indicator as an email address (irrespective
        of direction).
      example: phish@example.com
      default_field: false
    - name: enrichments.indicator.file.accessed
      level: extended
      type: date
      description: 'Last time the file was accessed.

        Note that not all filesystems keep track of access time.'
      default_field: false
    - name: enrichments.indicator.file.attributes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of file attributes.

        Attributes names will vary by platform. Here''s a non-exhaustive list of values
        that are expected in this field: archive, compressed, directory, encrypted,
        execute, hidden, read, readonly, system, write.'
      example: '["readonly", "system"]'
      default_field: false
    - name: enrichments.indicator.file.code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: enrichments.indicator.file.code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: enrichments.indicator.file.code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: enrichments.indicator.file.code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: enrichments.indicator.file.code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: enrichments.indicator.file.code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: enrichments.indicator.file.code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: enrichments.indicator.file.code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: enrichments.indicator.file.code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: enrichments.indicator.file.created
      level: extended
      type: date
      description: 'File creation time.

        Note that not all filesystems store the creation time.'
      default_field: false
    - name: enrichments.indicator.file.ctime
      level: extended
      type: date
      description: 'Last time the file attributes or metadata changed.

        Note that changes to the file content will update `mtime`. This implies `ctime`
        will be adjusted at the same time, since `mtime` is an attribute of the file.'
      default_field: false
    - name: enrichments.indicator.file.device
      level: extended
      type: keyword
      ignore_above: 1024
      description: Device that is the source of the file.
      example: sda
      default_field: false
    - name: enrichments.indicator.file.directory
      level: extended
      type: keyword
      ignore_above: 1024
      description: Directory where the file is located. It should include the drive
        letter, when appropriate.
      example: /home/alice
      default_field: false
    - name: enrichments.indicator.file.drive_letter
      level: extended
      type: keyword
      ignore_above: 1
      description: 'Drive letter where the file is located. This field is only relevant
        on Windows.

        The value should be uppercase, and not include the colon.'
      example: C
      default_field: false
    - name: enrichments.indicator.file.elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: enrichments.indicator.file.elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: enrichments.indicator.file.elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: enrichments.indicator.file.elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: enrichments.indicator.file.elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: enrichments.indicator.file.elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: enrichments.indicator.file.elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: enrichments.indicator.file.elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: enrichments.indicator.file.elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: enrichments.indicator.file.elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: enrichments.indicator.file.elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: enrichments.indicator.file.elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: enrichments.indicator.file.elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: enrichments.indicator.file.elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: enrichments.indicator.file.elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: enrichments.indicator.file.elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: enrichments.indicator.file.elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: enrichments.indicator.file.elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: enrichments.indicator.file.elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: enrichments.indicator.file.elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: enrichments.indicator.file.elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: enrichments.indicator.file.extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'File extension, excluding the leading dot.

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
      default_field: false
    - name: enrichments.indicator.file.fork_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A fork is additional data associated with a filesystem object.

        On Linux, a resource fork is used to store additional data with a filesystem
        object. A file always has at least one fork for the data portion, and additional
        forks may exist.

        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
        data stream for a file is just called $DATA. Zone.Identifier is commonly used
        by Windows to track contents downloaded from the Internet. An ADS is typically
        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
        is the value that should populate `fork_name`. `filename.extension` should
        populate `file.name`, and `extension` should populate `file.extension`. The
        full path, `file.path`, will include the fork name.'
      example: Zone.Identifer
      default_field: false
    - name: enrichments.indicator.file.gid
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group ID (GID) of the file.
      example: '1001'
      default_field: false
    - name: enrichments.indicator.file.group
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group name of the file.
      example: alice
      default_field: false
    - name: enrichments.indicator.file.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
      default_field: false
    - name: enrichments.indicator.file.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
      default_field: false
    - name: enrichments.indicator.file.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
      default_field: false
    - name: enrichments.indicator.file.hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
      default_field: false
    - name: enrichments.indicator.file.hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: enrichments.indicator.file.inode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Inode representing the file in the filesystem.
      example: '256383'
      default_field: false
    - name: enrichments.indicator.file.mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: MIME type should identify the format of the file or stream of bytes
        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
        official types], where possible. When more than one type is applicable, the
        most specific type should be used.
      default_field: false
    - name: enrichments.indicator.file.mode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Mode of the file in octal representation.
      example: '0640'
      default_field: false
    - name: enrichments.indicator.file.mtime
      level: extended
      type: date
      description: Last time the file content was modified.
      default_field: false
    - name: enrichments.indicator.file.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the file including the extension, without the directory.
      example: example.png
      default_field: false
    - name: enrichments.indicator.file.owner
      level: extended
      type: keyword
      ignore_above: 1024
      description: File owner's username.
      example: alice
      default_field: false
    - name: enrichments.indicator.file.path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Full path to the file, including the file name. It should include
        the drive letter, when appropriate.
      example: /home/alice/example.png
      default_field: false
    - name: enrichments.indicator.file.pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: enrichments.indicator.file.pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: enrichments.indicator.file.pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: enrichments.indicator.file.pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: enrichments.indicator.file.pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: enrichments.indicator.file.pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: enrichments.indicator.file.pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: enrichments.indicator.file.size
      level: extended
      type: long
      description: 'File size in bytes.

        Only relevant when `file.type` is "file".'
      example: 16384
      default_field: false
    - name: enrichments.indicator.file.target_path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Target path for symlinks.
      default_field: false
    - name: enrichments.indicator.file.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: File type (file, dir, or symlink).
      example: file
      default_field: false
    - name: enrichments.indicator.file.uid
      level: extended
      type: keyword
      ignore_above: 1024
      description: The user ID (UID) or security identifier (SID) of the file owner.
      example: '1001'
      default_field: false
    - name: enrichments.indicator.file.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: enrichments.indicator.file.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: enrichments.indicator.file.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: enrichments.indicator.file.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: enrichments.indicator.file.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: enrichments.indicator.file.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: enrichments.indicator.file.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: enrichments.indicator.file.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: enrichments.indicator.file.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: enrichments.indicator.file.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: enrichments.indicator.file.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: enrichments.indicator.file.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: enrichments.indicator.file.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: enrichments.indicator.file.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: enrichments.indicator.file.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: enrichments.indicator.file.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: enrichments.indicator.file.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: enrichments.indicator.first_seen
      level: extended
      type: date
      description: The date and time when intelligence source first reported sighting
        this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: enrichments.indicator.geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
      default_field: false
    - name: enrichments.indicator.geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: enrichments.indicator.geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
      default_field: false
    - name: enrichments.indicator.geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
      default_field: false
    - name: enrichments.indicator.geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
      default_field: false
    - name: enrichments.indicator.geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
      default_field: false
    - name: enrichments.indicator.geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
      default_field: false
    - name: enrichments.indicator.geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: enrichments.indicator.geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
      default_field: false
    - name: enrichments.indicator.geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
      default_field: false
    - name: enrichments.indicator.geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: enrichments.indicator.ip
      level: extended
      type: ip
      description: Identifies a threat indicator as an IP address (irrespective of
        direction).
      example: 1.2.3.4
      default_field: false
    - name: enrichments.indicator.last_seen
      level: extended
      type: date
      description: The date and time when intelligence source last reported sighting
        this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: enrichments.indicator.marking.tlp
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
      example: White
      default_field: false
    - name: enrichments.indicator.modified_at
      level: extended
      type: date
      description: The date and time when intelligence source last modified information
        for this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: enrichments.indicator.port
      level: extended
      type: long
      description: Identifies a threat indicator as a port number (irrespective of
        direction).
      example: 443
      default_field: false
    - name: enrichments.indicator.provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the indicator's provider.
      example: lrz_urlhaus
      default_field: false
    - name: enrichments.indicator.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: Reference URL linking to additional information about this indicator.
      example: https://system.example.com/indicator/0001234
      default_field: false
    - name: enrichments.indicator.registry.data.bytes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Original bytes written with base64 encoding.

        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
        corresponds to the data pointed by `lp_data`. This is optional but provides
        better recoverability and should be populated for REG_BINARY encoded values.'
      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
      default_field: false
    - name: enrichments.indicator.registry.data.strings
      level: core
      type: wildcard
      description: 'Content when writing string types.

        Populated as an array when writing string data to the registry. For single
        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
        one string. For sequences of string with REG_MULTI_SZ, this array will be
        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
        be populated with the decimal representation (e.g `"1"`).'
      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
      default_field: false
    - name: enrichments.indicator.registry.data.type
      level: core
      type: keyword
      ignore_above: 1024
      description: Standard registry type for encoding contents
      example: REG_SZ
      default_field: false
    - name: enrichments.indicator.registry.hive
      level: core
      type: keyword
      ignore_above: 1024
      description: Abbreviated name for the hive.
      example: HKLM
      default_field: false
    - name: enrichments.indicator.registry.key
      level: core
      type: keyword
      ignore_above: 1024
      description: Hive-relative path of keys.
      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
      default_field: false
    - name: enrichments.indicator.registry.path
      level: core
      type: keyword
      ignore_above: 1024
      description: Full path, including hive, key and value
      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
        Options\winword.exe\Debugger
      default_field: false
    - name: enrichments.indicator.registry.value
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the value written.
      example: Debugger
      default_field: false
    - name: enrichments.indicator.scanner_stats
      level: extended
      type: long
      description: Count of AV/EDR vendors that successfully detected malicious file
        or URL.
      example: 4
      default_field: false
    - name: enrichments.indicator.sightings
      level: extended
      type: long
      description: Number of times this indicator was observed conducting threat activity.
      example: 20
      default_field: false
    - name: enrichments.indicator.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\
        \ Recommended values:\n  * autonomous-system\n  * artifact\n  * directory\n\
        \  * domain-name\n  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n\
        \  * mac-addr\n  * mutex\n  * port\n  * process\n  * software\n  * url\n \
        \ * user-account\n  * windows-registry-key\n  * x509-certificate"
      example: ipv4-addr
      default_field: false
    - name: enrichments.indicator.url.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Domain of the url, such as "www.elastic.co".

        In some cases a URL may refer to an IP and/or port directly, without a domain
        name. In this case, the IP address would go to the `domain` field.

        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
        2732), the `[` and `]` characters should also be captured in the `domain`
        field.'
      example: www.elastic.co
      default_field: false
    - name: enrichments.indicator.url.extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The field contains the file extension from the original request
        url, excluding the leading dot.

        The file extension is only set if it exists, as not every url has a file extension.

        The leading period must not be included. For example, the value must be "png",
        not ".png".

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
      default_field: false
    - name: enrichments.indicator.url.fragment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Portion of the url after the `#`, such as "top".

        The `#` is not part of the fragment.'
      default_field: false
    - name: enrichments.indicator.url.full
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: If full URLs are important to your use case, they should be stored
        in `url.full`, whether this field is reconstructed or present in the event
        source.
      example: https://www.elastic.co:443/search?q=elasticsearch#top
      default_field: false
    - name: enrichments.indicator.url.original
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Unmodified original url as seen in the event source.

        Note that in network monitoring, the observed URL may be a full URL, whereas
        in access logs, the URL is often just represented as a path.

        This field is meant to represent the URL as it was observed, complete or not.'
      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
      default_field: false
    - name: enrichments.indicator.url.password
      level: extended
      type: keyword
      ignore_above: 1024
      description: Password of the request.
      default_field: false
    - name: enrichments.indicator.url.path
      level: extended
      type: wildcard
      description: Path of the request, such as "/search".
      default_field: false
    - name: enrichments.indicator.url.port
      level: extended
      type: long
      format: string
      description: Port of the request, such as 443.
      example: 443
      default_field: false
    - name: enrichments.indicator.url.query
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The query field describes the query string of the request, such
        as "q=elasticsearch".

        The `?` is excluded from the query string. If a URL contains no `?`, there
        is no query field. If there is a `?` but no query, the query field exists
        with an empty string. The `exists` query can be used to differentiate between
        the two cases.'
      default_field: false
    - name: enrichments.indicator.url.registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered url domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
      default_field: false
    - name: enrichments.indicator.url.scheme
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Scheme of the request, such as "https".

        Note: The `:` is not part of the scheme.'
      example: https
      default_field: false
    - name: enrichments.indicator.url.subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: enrichments.indicator.url.top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
      default_field: false
    - name: enrichments.indicator.url.username
      level: extended
      type: keyword
      ignore_above: 1024
      description: Username of the request.
      default_field: false
    - name: enrichments.indicator.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: enrichments.indicator.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: enrichments.indicator.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: enrichments.indicator.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: enrichments.indicator.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: enrichments.indicator.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: enrichments.indicator.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: enrichments.indicator.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: enrichments.indicator.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: enrichments.indicator.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: enrichments.indicator.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: enrichments.indicator.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: enrichments.indicator.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: enrichments.indicator.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: enrichments.indicator.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: enrichments.indicator.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: enrichments.indicator.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: enrichments.indicator.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: enrichments.indicator.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: enrichments.indicator.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: enrichments.indicator.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: enrichments.indicator.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: enrichments.indicator.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: enrichments.indicator.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: enrichments.matched.atomic
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the atomic indicator value that matched a local environment
        endpoint or network event.
      example: bad-domain.com
      default_field: false
    - name: enrichments.matched.field
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the field of the atomic indicator that matched a local
        environment endpoint or network event.
      example: file.hash.sha256
      default_field: false
    - name: enrichments.matched.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the _id of the indicator document enriching the event.
      example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
      default_field: false
    - name: enrichments.matched.index
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the _index of the indicator document enriching the event.
      example: filebeat-8.0.0-2021.05.23-000011
      default_field: false
    - name: enrichments.matched.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the type of match that caused the event to be enriched
        with the given indicator
      example: indicator_match_rule
      default_field: false
    - name: framework
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the threat framework used to further categorize and classify
        the tactic and technique of the reported threat. Framework classification
        can be provided by detecting systems, evaluated at ingest time, or retrospectively
        tagged to events.
      example: MITRE ATT&CK
    - name: group.alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The alias(es) of the group for a set of related intrusion activity\
        \ that are tracked by a common name in the security community.\nWhile not\
        \ required, you can use a MITRE ATT&CK\xAE group alias(es)."
      example: '[ "Magecart Group 6" ]'
      default_field: false
    - name: group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The id of the group for a set of related intrusion activity that\
        \ are tracked by a common name in the security community.\nWhile not required,\
        \ you can use a MITRE ATT&CK\xAE group id."
      example: G0037
      default_field: false
    - name: group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The name of the group for a set of related intrusion activity\
        \ that are tracked by a common name in the security community.\nWhile not\
        \ required, you can use a MITRE ATT&CK\xAE group name."
      example: FIN6
      default_field: false
    - name: group.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference URL of the group for a set of related intrusion\
        \ activity that are tracked by a common name in the security community.\n\
        While not required, you can use a MITRE ATT&CK\xAE group reference URL."
      example: https://attack.mitre.org/groups/G0037/
      default_field: false
    - name: indicator.as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
      default_field: false
    - name: indicator.as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Organization name.
      example: Google LLC
      default_field: false
    - name: indicator.confidence
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
        \ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
        \ Vendor-specific confidence scales may be added as custom fields.\nExpected\
        \ values are:\n  * Not Specified\n  * None\n  * Low\n  * Medium\n  * High"
      example: Medium
      default_field: false
    - name: indicator.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Describes the type of action conducted by the threat.
      example: IP x.x.x.x was observed delivering the Angler EK.
      default_field: false
    - name: indicator.email.address
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies a threat indicator as an email address (irrespective
        of direction).
      example: phish@example.com
      default_field: false
    - name: indicator.file.accessed
      level: extended
      type: date
      description: 'Last time the file was accessed.

        Note that not all filesystems keep track of access time.'
      default_field: false
    - name: indicator.file.attributes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of file attributes.

        Attributes names will vary by platform. Here''s a non-exhaustive list of values
        that are expected in this field: archive, compressed, directory, encrypted,
        execute, hidden, read, readonly, system, write.'
      example: '["readonly", "system"]'
      default_field: false
    - name: indicator.file.code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: indicator.file.code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: indicator.file.code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: indicator.file.code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: indicator.file.code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: indicator.file.code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: indicator.file.code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: indicator.file.code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: indicator.file.code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: indicator.file.created
      level: extended
      type: date
      description: 'File creation time.

        Note that not all filesystems store the creation time.'
      default_field: false
    - name: indicator.file.ctime
      level: extended
      type: date
      description: 'Last time the file attributes or metadata changed.

        Note that changes to the file content will update `mtime`. This implies `ctime`
        will be adjusted at the same time, since `mtime` is an attribute of the file.'
      default_field: false
    - name: indicator.file.device
      level: extended
      type: keyword
      ignore_above: 1024
      description: Device that is the source of the file.
      example: sda
      default_field: false
    - name: indicator.file.directory
      level: extended
      type: keyword
      ignore_above: 1024
      description: Directory where the file is located. It should include the drive
        letter, when appropriate.
      example: /home/alice
      default_field: false
    - name: indicator.file.drive_letter
      level: extended
      type: keyword
      ignore_above: 1
      description: 'Drive letter where the file is located. This field is only relevant
        on Windows.

        The value should be uppercase, and not include the colon.'
      example: C
      default_field: false
    - name: indicator.file.elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: indicator.file.elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: indicator.file.elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: indicator.file.elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: indicator.file.elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: indicator.file.elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: indicator.file.elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: indicator.file.elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: indicator.file.elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: indicator.file.elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: indicator.file.elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: indicator.file.elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: indicator.file.elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: indicator.file.elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: indicator.file.elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: indicator.file.elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: indicator.file.elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: indicator.file.elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: indicator.file.elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: indicator.file.elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: indicator.file.elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: indicator.file.elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: indicator.file.elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: indicator.file.elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: indicator.file.elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: indicator.file.elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: indicator.file.elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: indicator.file.elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: indicator.file.elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: indicator.file.extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'File extension, excluding the leading dot.

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
      default_field: false
    - name: indicator.file.fork_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A fork is additional data associated with a filesystem object.

        On Linux, a resource fork is used to store additional data with a filesystem
        object. A file always has at least one fork for the data portion, and additional
        forks may exist.

        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
        data stream for a file is just called $DATA. Zone.Identifier is commonly used
        by Windows to track contents downloaded from the Internet. An ADS is typically
        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
        is the value that should populate `fork_name`. `filename.extension` should
        populate `file.name`, and `extension` should populate `file.extension`. The
        full path, `file.path`, will include the fork name.'
      example: Zone.Identifer
      default_field: false
    - name: indicator.file.gid
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group ID (GID) of the file.
      example: '1001'
      default_field: false
    - name: indicator.file.group
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group name of the file.
      example: alice
      default_field: false
    - name: indicator.file.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
      default_field: false
    - name: indicator.file.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
      default_field: false
    - name: indicator.file.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
      default_field: false
    - name: indicator.file.hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
      default_field: false
    - name: indicator.file.hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: indicator.file.inode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Inode representing the file in the filesystem.
      example: '256383'
      default_field: false
    - name: indicator.file.mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: MIME type should identify the format of the file or stream of bytes
        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
        official types], where possible. When more than one type is applicable, the
        most specific type should be used.
      default_field: false
    - name: indicator.file.mode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Mode of the file in octal representation.
      example: '0640'
      default_field: false
    - name: indicator.file.mtime
      level: extended
      type: date
      description: Last time the file content was modified.
      default_field: false
    - name: indicator.file.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the file including the extension, without the directory.
      example: example.png
      default_field: false
    - name: indicator.file.owner
      level: extended
      type: keyword
      ignore_above: 1024
      description: File owner's username.
      example: alice
      default_field: false
    - name: indicator.file.path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Full path to the file, including the file name. It should include
        the drive letter, when appropriate.
      example: /home/alice/example.png
      default_field: false
    - name: indicator.file.pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: indicator.file.pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: indicator.file.pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: indicator.file.pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: indicator.file.pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: indicator.file.pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: indicator.file.pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: indicator.file.size
      level: extended
      type: long
      description: 'File size in bytes.

        Only relevant when `file.type` is "file".'
      example: 16384
      default_field: false
    - name: indicator.file.target_path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Target path for symlinks.
      default_field: false
    - name: indicator.file.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: File type (file, dir, or symlink).
      example: file
      default_field: false
    - name: indicator.file.uid
      level: extended
      type: keyword
      ignore_above: 1024
      description: The user ID (UID) or security identifier (SID) of the file owner.
      example: '1001'
      default_field: false
    - name: indicator.file.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: indicator.file.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: indicator.file.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: indicator.file.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: indicator.file.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: indicator.file.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: indicator.file.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: indicator.file.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: indicator.file.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: indicator.file.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: indicator.file.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: indicator.file.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: indicator.file.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: indicator.file.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: indicator.file.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: indicator.file.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: indicator.file.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: indicator.file.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: indicator.file.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: indicator.file.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: indicator.file.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: indicator.file.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: indicator.file.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: indicator.file.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: indicator.first_seen
      level: extended
      type: date
      description: The date and time when intelligence source first reported sighting
        this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: indicator.geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
      default_field: false
    - name: indicator.geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: indicator.geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
      default_field: false
    - name: indicator.geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
      default_field: false
    - name: indicator.geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
      default_field: false
    - name: indicator.geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
      default_field: false
    - name: indicator.geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
      default_field: false
    - name: indicator.geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: indicator.geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
      default_field: false
    - name: indicator.geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
      default_field: false
    - name: indicator.geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: indicator.ip
      level: extended
      type: ip
      description: Identifies a threat indicator as an IP address (irrespective of
        direction).
      example: 1.2.3.4
      default_field: false
    - name: indicator.last_seen
      level: extended
      type: date
      description: The date and time when intelligence source last reported sighting
        this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: indicator.marking.tlp
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\
        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
      example: WHITE
      default_field: false
    - name: indicator.modified_at
      level: extended
      type: date
      description: The date and time when intelligence source last modified information
        for this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: indicator.port
      level: extended
      type: long
      description: Identifies a threat indicator as a port number (irrespective of
        direction).
      example: 443
      default_field: false
    - name: indicator.provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the indicator's provider.
      example: lrz_urlhaus
      default_field: false
    - name: indicator.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: Reference URL linking to additional information about this indicator.
      example: https://system.example.com/indicator/0001234
      default_field: false
    - name: indicator.registry.data.bytes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Original bytes written with base64 encoding.

        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
        corresponds to the data pointed by `lp_data`. This is optional but provides
        better recoverability and should be populated for REG_BINARY encoded values.'
      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
      default_field: false
    - name: indicator.registry.data.strings
      level: core
      type: wildcard
      description: 'Content when writing string types.

        Populated as an array when writing string data to the registry. For single
        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
        one string. For sequences of string with REG_MULTI_SZ, this array will be
        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
        be populated with the decimal representation (e.g `"1"`).'
      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
      default_field: false
    - name: indicator.registry.data.type
      level: core
      type: keyword
      ignore_above: 1024
      description: Standard registry type for encoding contents
      example: REG_SZ
      default_field: false
    - name: indicator.registry.hive
      level: core
      type: keyword
      ignore_above: 1024
      description: Abbreviated name for the hive.
      example: HKLM
      default_field: false
    - name: indicator.registry.key
      level: core
      type: keyword
      ignore_above: 1024
      description: Hive-relative path of keys.
      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
      default_field: false
    - name: indicator.registry.path
      level: core
      type: keyword
      ignore_above: 1024
      description: Full path, including hive, key and value
      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
        Options\winword.exe\Debugger
      default_field: false
    - name: indicator.registry.value
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the value written.
      example: Debugger
      default_field: false
    - name: indicator.scanner_stats
      level: extended
      type: long
      description: Count of AV/EDR vendors that successfully detected malicious file
        or URL.
      example: 4
      default_field: false
    - name: indicator.sightings
      level: extended
      type: long
      description: Number of times this indicator was observed conducting threat activity.
      example: 20
      default_field: false
    - name: indicator.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\
        Recommended values:\n  * autonomous-system\n  * artifact\n  * directory\n\
        \  * domain-name\n  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n\
        \  * mac-addr\n  * mutex\n  * port\n  * process\n  * software\n  * url\n \
        \ * user-account\n  * windows-registry-key\n  * x509-certificate"
      example: ipv4-addr
      default_field: false
    - name: indicator.url.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Domain of the url, such as "www.elastic.co".

        In some cases a URL may refer to an IP and/or port directly, without a domain
        name. In this case, the IP address would go to the `domain` field.

        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
        2732), the `[` and `]` characters should also be captured in the `domain`
        field.'
      example: www.elastic.co
      default_field: false
    - name: indicator.url.extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The field contains the file extension from the original request
        url, excluding the leading dot.

        The file extension is only set if it exists, as not every url has a file extension.

        The leading period must not be included. For example, the value must be "png",
        not ".png".

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
      default_field: false
    - name: indicator.url.fragment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Portion of the url after the `#`, such as "top".

        The `#` is not part of the fragment.'
      default_field: false
    - name: indicator.url.full
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: If full URLs are important to your use case, they should be stored
        in `url.full`, whether this field is reconstructed or present in the event
        source.
      example: https://www.elastic.co:443/search?q=elasticsearch#top
      default_field: false
    - name: indicator.url.original
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Unmodified original url as seen in the event source.

        Note that in network monitoring, the observed URL may be a full URL, whereas
        in access logs, the URL is often just represented as a path.

        This field is meant to represent the URL as it was observed, complete or not.'
      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
      default_field: false
    - name: indicator.url.password
      level: extended
      type: keyword
      ignore_above: 1024
      description: Password of the request.
      default_field: false
    - name: indicator.url.path
      level: extended
      type: wildcard
      description: Path of the request, such as "/search".
      default_field: false
    - name: indicator.url.port
      level: extended
      type: long
      format: string
      description: Port of the request, such as 443.
      example: 443
      default_field: false
    - name: indicator.url.query
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The query field describes the query string of the request, such
        as "q=elasticsearch".

        The `?` is excluded from the query string. If a URL contains no `?`, there
        is no query field. If there is a `?` but no query, the query field exists
        with an empty string. The `exists` query can be used to differentiate between
        the two cases.'
      default_field: false
    - name: indicator.url.registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered url domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
      default_field: false
    - name: indicator.url.scheme
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Scheme of the request, such as "https".

        Note: The `:` is not part of the scheme.'
      example: https
      default_field: false
    - name: indicator.url.subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: indicator.url.top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
      default_field: false
    - name: indicator.url.username
      level: extended
      type: keyword
      ignore_above: 1024
      description: Username of the request.
      default_field: false
    - name: indicator.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: indicator.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: indicator.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: indicator.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: indicator.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: indicator.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: indicator.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: indicator.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: indicator.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: indicator.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: indicator.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: indicator.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: indicator.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: indicator.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: indicator.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: indicator.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: indicator.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: indicator.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: indicator.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: indicator.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: indicator.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: indicator.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: indicator.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: indicator.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: software.alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The alias(es) of the software for a set of related intrusion activity\
        \ that are tracked by a common name in the security community.\nWhile not\
        \ required, you can use a MITRE ATT&CK\xAE associated software description."
      example: '[ "X-Agent" ]'
      default_field: false
    - name: software.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The id of the software used by this threat to conduct behavior\
        \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\
        \ a MITRE ATT&CK\xAE software id."
      example: S0552
      default_field: false
    - name: software.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The name of the software used by this threat to conduct behavior\
        \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\
        \ a MITRE ATT&CK\xAE software name."
      example: AdFind
      default_field: false
    - name: software.platforms
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The platforms of the software used by this threat to conduct behavior\
        \ commonly modeled using MITRE ATT&CK\xAE.\nRecommended Values:\n  * AWS\n\
        \  * Azure\n  * Azure AD\n  * GCP\n  * Linux\n  * macOS\n  * Network\n  *\
        \ Office 365\n  * SaaS\n  * Windows\n\nWhile not required, you can use a MITRE\
        \ ATT&CK\xAE software platforms."
      example: '[ "Windows" ]'
      default_field: false
    - name: software.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference URL of the software used by this threat to conduct\
        \ behavior commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you\
        \ can use a MITRE ATT&CK\xAE software reference URL."
      example: https://attack.mitre.org/software/S0552/
      default_field: false
    - name: software.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The type of software used by this threat to conduct behavior commonly\
        \ modeled using MITRE ATT&CK\xAE.\nRecommended values\n  * Malware\n  * Tool\n\
        \n While not required, you can use a MITRE ATT&CK\xAE software type."
      example: Tool
      default_field: false
    - name: tactic.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
      example: TA0002
    - name: tactic.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Name of the type of tactic used by this threat. You can use a\
        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
      example: Execution
    - name: tactic.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference url of tactic used by this threat. You can use a\
        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
        \ )"
      example: https://attack.mitre.org/tactics/TA0002/
    - name: technique.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
      example: T1059
    - name: technique.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: "The name of technique used by this threat. You can use a MITRE\
        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
      example: Command and Scripting Interpreter
    - name: technique.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference url of technique used by this threat. You can use\
        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
      example: https://attack.mitre.org/techniques/T1059/
    - name: technique.subtechnique.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The full id of subtechnique used by this threat. You can use a\
        \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
      example: T1059.001
      default_field: false
    - name: technique.subtechnique.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: "The name of subtechnique used by this threat. You can use a MITRE\
        \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
      example: PowerShell
      default_field: false
    - name: technique.subtechnique.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference url of subtechnique used by this threat. You can\
        \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
      example: https://attack.mitre.org/techniques/T1059/001/
      default_field: false
  - name: tls
    title: TLS
    group: 2
    description: Fields related to a TLS connection. These fields focus on the TLS
      protocol itself and intentionally avoids in-depth analysis of the related x.509
      certificate files.
    type: group
    default_field: true
    fields:
    - name: cipher
      level: extended
      type: keyword
      ignore_above: 1024
      description: String indicating the cipher used during the current connection.
      example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
      default_field: false
    - name: client.certificate
      level: extended
      type: keyword
      ignore_above: 1024
      description: PEM-encoded stand-alone certificate offered by the client. This
        is usually mutually-exclusive of `client.certificate_chain` since this value
        also exists in that list.
      example: MII...
      default_field: false
    - name: client.certificate_chain
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of PEM-encoded certificates that make up the certificate
        chain offered by the client. This is usually mutually-exclusive of `client.certificate`
        since that value should be the first certificate in the chain.
      example: '["MII...", "MII..."]'
      default_field: false
    - name: client.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the MD5 digest of DER-encoded version
        of certificate offered by the client. For consistency with other hash values,
        this value should be formatted as an uppercase hash.
      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
      default_field: false
    - name: client.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
        of certificate offered by the client. For consistency with other hash values,
        this value should be formatted as an uppercase hash.
      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
      default_field: false
    - name: client.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the SHA256 digest of DER-encoded
        version of certificate offered by the client. For consistency with other hash
        values, this value should be formatted as an uppercase hash.
      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
      default_field: false
    - name: client.issuer
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name of subject of the issuer of the x.509 certificate
        presented by the client.
      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
      default_field: false
    - name: client.ja3
      level: extended
      type: keyword
      ignore_above: 1024
      description: A hash that identifies clients based on how they perform an SSL/TLS
        handshake.
      example: d4e5b18d6b55c71272893221c96ba240
      default_field: false
    - name: client.not_after
      level: extended
      type: date
      description: Date/Time indicating when client certificate is no longer considered
        valid.
      example: '2021-01-01T00:00:00.000Z'
      default_field: false
    - name: client.not_before
      level: extended
      type: date
      description: Date/Time indicating when client certificate is first considered
        valid.
      example: '1970-01-01T00:00:00.000Z'
      default_field: false
    - name: client.server_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Also called an SNI, this tells the server which hostname to which
        the client is attempting to connect to. When this value is available, it should
        get copied to `destination.domain`.
      example: www.elastic.co
      default_field: false
    - name: client.subject
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name of subject of the x.509 certificate presented
        by the client.
      example: CN=myclient, OU=Documentation Team, DC=example, DC=com
      default_field: false
    - name: client.supported_ciphers
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of ciphers offered by the client during the client hello.
      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "..."]'
      default_field: false
    - name: client.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: client.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: client.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: client.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: client.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: client.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: client.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: client.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: client.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: client.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: client.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: client.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: client.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: client.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: client.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: client.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: client.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: client.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: client.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: client.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: client.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: client.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: client.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: client.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: String indicating the curve used for the given cipher, when applicable.
      example: secp256r1
      default_field: false
    - name: established
      level: extended
      type: boolean
      description: Boolean flag indicating if the TLS negotiation was successful and
        transitioned to an encrypted tunnel.
      default_field: false
    - name: next_protocol
      level: extended
      type: keyword
      ignore_above: 1024
      description: String indicating the protocol being tunneled. Per the values in
        the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
        this string should be lower case.
      example: http/1.1
      default_field: false
    - name: resumed
      level: extended
      type: boolean
      description: Boolean flag indicating if this TLS connection was resumed from
        an existing TLS negotiation.
      default_field: false
    - name: server.certificate
      level: extended
      type: keyword
      ignore_above: 1024
      description: PEM-encoded stand-alone certificate offered by the server. This
        is usually mutually-exclusive of `server.certificate_chain` since this value
        also exists in that list.
      example: MII...
      default_field: false
    - name: server.certificate_chain
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of PEM-encoded certificates that make up the certificate
        chain offered by the server. This is usually mutually-exclusive of `server.certificate`
        since that value should be the first certificate in the chain.
      example: '["MII...", "MII..."]'
      default_field: false
    - name: server.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the MD5 digest of DER-encoded version
        of certificate offered by the server. For consistency with other hash values,
        this value should be formatted as an uppercase hash.
      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
      default_field: false
    - name: server.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
        of certificate offered by the server. For consistency with other hash values,
        this value should be formatted as an uppercase hash.
      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
      default_field: false
    - name: server.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the SHA256 digest of DER-encoded
        version of certificate offered by the server. For consistency with other hash
        values, this value should be formatted as an uppercase hash.
      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
      default_field: false
    - name: server.issuer
      level: extended
      type: keyword
      ignore_above: 1024
      description: Subject of the issuer of the x.509 certificate presented by the
        server.
      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
      default_field: false
    - name: server.ja3s
      level: extended
      type: keyword
      ignore_above: 1024
      description: A hash that identifies servers based on how they perform an SSL/TLS
        handshake.
      example: 394441ab65754e2207b1e1b457b3641d
      default_field: false
    - name: server.not_after
      level: extended
      type: date
      description: Timestamp indicating when server certificate is no longer considered
        valid.
      example: '2021-01-01T00:00:00.000Z'
      default_field: false
    - name: server.not_before
      level: extended
      type: date
      description: Timestamp indicating when server certificate is first considered
        valid.
      example: '1970-01-01T00:00:00.000Z'
      default_field: false
    - name: server.subject
      level: extended
      type: keyword
      ignore_above: 1024
      description: Subject of the x.509 certificate presented by the server.
      example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
      default_field: false
    - name: server.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: server.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: server.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: server.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: server.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: server.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: server.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: server.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: server.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: server.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: server.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: server.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: server.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: server.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: server.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: server.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: server.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: server.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: server.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: server.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: server.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: server.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: server.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: server.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Numeric part of the version parsed from the original string.
      example: '1.2'
      default_field: false
    - name: version_protocol
      level: extended
      type: keyword
      ignore_above: 1024
      description: Normalized lowercase protocol name parsed from original string.
      example: tls
      default_field: false
  - name: span.id
    level: extended
    type: keyword
    ignore_above: 1024
    description: 'Unique identifier of the span within the scope of its trace.

      A span represents an operation within a transaction, such as a request to another
      service, or a database query.'
    example: 3ff9a8981b7ccd5a
  - name: trace.id
    level: extended
    type: keyword
    ignore_above: 1024
    description: 'Unique identifier of the trace.

      A trace groups multiple events like transactions that belong together. For example,
      a user request handled by multiple inter-connected services.'
    example: 4bf92f3577b34da6a3ce929d0e0e4736
    default_field: true
  - name: transaction.id
    level: extended
    type: keyword
    ignore_above: 1024
    description: 'Unique identifier of the transaction within the scope of its trace.

      A transaction is the highest level of work measured within a service, such as
      a request to a server.'
    example: 00f067aa0ba902b7
    default_field: true
  - name: url
    title: URL
    group: 2
    description: URL fields provide support for complete or partial URLs, and supports
      the breaking down into scheme, domain, path, and so on.
    type: group
    default_field: true
    fields:
    - name: domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Domain of the url, such as "www.elastic.co".

        In some cases a URL may refer to an IP and/or port directly, without a domain
        name. In this case, the IP address would go to the `domain` field.

        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
        2732), the `[` and `]` characters should also be captured in the `domain`
        field.'
      example: www.elastic.co
    - name: extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The field contains the file extension from the original request
        url, excluding the leading dot.

        The file extension is only set if it exists, as not every url has a file extension.

        The leading period must not be included. For example, the value must be "png",
        not ".png".

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
    - name: fragment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Portion of the url after the `#`, such as "top".

        The `#` is not part of the fragment.'
    - name: full
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: If full URLs are important to your use case, they should be stored
        in `url.full`, whether this field is reconstructed or present in the event
        source.
      example: https://www.elastic.co:443/search?q=elasticsearch#top
    - name: original
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: 'Unmodified original url as seen in the event source.

        Note that in network monitoring, the observed URL may be a full URL, whereas
        in access logs, the URL is often just represented as a path.

        This field is meant to represent the URL as it was observed, complete or not.'
      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
    - name: password
      level: extended
      type: keyword
      ignore_above: 1024
      description: Password of the request.
    - name: path
      level: extended
      type: wildcard
      description: Path of the request, such as "/search".
    - name: port
      level: extended
      type: long
      format: string
      description: Port of the request, such as 443.
      example: 443
    - name: query
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The query field describes the query string of the request, such
        as "q=elasticsearch".

        The `?` is excluded from the query string. If a URL contains no `?`, there
        is no query field. If there is a `?` but no query, the query field exists
        with an empty string. The `exists` query can be used to differentiate between
        the two cases.'
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered url domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: scheme
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Scheme of the request, such as "https".

        Note: The `:` is not part of the scheme.'
      example: https
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: username
      level: extended
      type: keyword
      ignore_above: 1024
      description: Username of the request.
  - name: user
    title: User
    group: 2
    description: 'The user fields describe information about the user that is relevant
      to the event.

      Fields can have one entry or multiple entries. If a user has more than one id,
      provide an array that includes all of them.'
    type: group
    default_field: true
    fields:
    - name: changes.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: changes.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
      default_field: false
    - name: changes.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: User's full name, if available.
      example: Albert Einstein
      default_field: false
    - name: changes.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: changes.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
      default_field: false
    - name: changes.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
      default_field: false
    - name: changes.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
      default_field: false
    - name: changes.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
      default_field: false
    - name: changes.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Short name or login of the user.
      example: a.einstein
      default_field: false
    - name: changes.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
    - name: domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: effective.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: effective.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
      default_field: false
    - name: effective.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: User's full name, if available.
      example: Albert Einstein
      default_field: false
    - name: effective.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: effective.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
      default_field: false
    - name: effective.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
      default_field: false
    - name: effective.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
      default_field: false
    - name: effective.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
      default_field: false
    - name: effective.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Short name or login of the user.
      example: a.einstein
      default_field: false
    - name: effective.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
    - name: email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
    - name: target.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: target.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
      default_field: false
    - name: target.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: User's full name, if available.
      example: Albert Einstein
      default_field: false
    - name: target.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: target.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
      default_field: false
    - name: target.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
      default_field: false
    - name: target.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
      default_field: false
    - name: target.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
      default_field: false
    - name: target.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Short name or login of the user.
      example: a.einstein
      default_field: false
    - name: target.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: user_agent
    title: User agent
    group: 2
    description: 'The user_agent fields normally come from a browser request.

      They often show up in web service logs coming from the parsed user agent string.'
    type: group
    default_field: true
    fields:
    - name: device.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the device.
      example: iPhone
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the user agent.
      example: Safari
    - name: original
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Unparsed user_agent string.
      example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
        (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
    - name: os.family
      level: extended
      type: keyword
      ignore_above: 1024
      description: OS family (such as redhat, debian, freebsd, windows).
      example: debian
    - name: os.full
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, including the version or code name.
      example: Mac OS Mojave
    - name: os.kernel
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system kernel version as a raw string.
      example: 4.4.0-112-generic
    - name: os.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, without the version.
      example: Mac OS X
    - name: os.platform
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system platform (such centos, ubuntu, windows).
      example: darwin
    - name: os.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Use the `os.type` field to categorize the operating system into
        one of the broad commercial families.

        One of these following values should be used (lowercase): linux, macos, unix,
        windows.

        If the OS you''re dealing with is not in the list, the field should not be
        populated. Please let us know by opening an issue with ECS, to propose its
        addition.'
      example: macos
      default_field: false
    - name: os.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system version as a raw string.
      example: 10.14.1
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the user agent.
      example: 12.0
  - name: vlan
    title: VLAN
    group: 2
    description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet,
      as well as ingress and egress VLAN associations of an observer in relation to
      a specific packet or connection.

      Network.vlan fields are used to record a single VLAN tag, or the outer tag in
      the case of q-in-q encapsulations, for a packet or connection as observed, typically
      provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.

      Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
      802.1q encapsulations) as observed, typically provided by a network sensor  (e.g.
      Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should
      only be used in addition to network.vlan fields to indicate q-in-q tagging.

      Observer.ingress and observer.egress VLAN values are used to record observer
      specific information when observer events contain discrete ingress and egress
      VLAN information, typically provided by firewalls, routers, or load balancers.'
    type: group
    default_field: true
    fields:
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
  - name: vulnerability
    title: Vulnerability
    group: 2
    description: The vulnerability fields describe information about a vulnerability
      that is relevant to an event.
    type: group
    default_field: true
    fields:
    - name: category
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The type of system or architecture that the vulnerability affects.
        These may be platform-specific (for example, Debian or SUSE) or general (for
        example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys
        vulnerability categories])

        This field must be an array.'
      example: '["Firewall"]'
      default_field: false
    - name: classification
      level: extended
      type: keyword
      ignore_above: 1024
      description: The classification of the vulnerability scoring system. For example
        (https://www.first.org/cvss/)
      example: CVSS
      default_field: false
    - name: description
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: The description of the vulnerability that provides additional context
        of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common
        Vulnerabilities and Exposure CVE description])
      example: In macOS before 2.12.6, there is a vulnerability in the RPC...
      default_field: false
    - name: enumeration
      level: extended
      type: keyword
      ignore_above: 1024
      description: The type of identifier used for this vulnerability. For example
        (https://cve.mitre.org/about/)
      example: CVE
      default_field: false
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: The identification (ID) is the number portion of a vulnerability
        entry. It includes a unique identification number for the vulnerability. For
        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
        and Exposure CVE ID]
      example: CVE-2019-00001
      default_field: false
    - name: reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: A resource that provides additional information, context, and mitigations
        for the identified vulnerability.
      example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
      default_field: false
    - name: report_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: The report or scan identification number.
      example: 20191018.0001
      default_field: false
    - name: scanner.vendor
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the vulnerability scanner vendor.
      example: Tenable
      default_field: false
    - name: score.base
      level: extended
      type: float
      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.

        Base scores cover an assessment for exploitability metrics (attack vector,
        complexity, privileges, and user interaction), impact metrics (confidentiality,
        integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)'
      example: 5.5
      default_field: false
    - name: score.environmental
      level: extended
      type: float
      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.

        Environmental scores cover an assessment for any modified Base metrics, confidentiality,
        integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)'
      example: 5.5
      default_field: false
    - name: score.temporal
      level: extended
      type: float
      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.

        Temporal scores cover an assessment for code maturity, remediation level,
        and confidence. For example (https://www.first.org/cvss/specification-document)'
      default_field: false
    - name: score.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The National Vulnerability Database (NVD) provides qualitative
        severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score
        ranges in addition to the severity ratings for CVSS v3.0 as they are defined
        in the CVSS v3.0 specification.

        CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit
        organization, whose mission is to help computer security incident response
        teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)'
      example: 2.0
      default_field: false
    - name: severity
      level: extended
      type: keyword
      ignore_above: 1024
      description: The severity of the vulnerability can help with metrics and internal
        prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
      example: Critical
      default_field: false
  - name: x509
    title: x509 Certificate
    group: 2
    description: 'This implements the common core fields for x509 certificates. This
      information is likely logged with TLS sessions, digital signatures found in
      executable binaries, S/MIME information in email bodies, or analysis of files
      on disk.

      When the certificate relates to a file, use the fields at `file.x509`. When
      hashes of the DER-encoded certificate are available, the `hash` data set should
      be populated as well (e.g. `file.hash.sha256`).

      Events that contain certificate information about network connections, should
      use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
      `tls.client.x509`.'
    type: group
    default_field: true
    fields:
    - name: alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
- key: beat
  anchor: beat-common
  title: Beat
  description: >
    Contains common beat fields available in all event types.
  fields:
    - name: agent.hostname
      type: alias
      path: agent.name
      description: >
        Deprecated - use agent.name or agent.id to identify an agent.

    - name: beat.timezone
      type: alias
      path: event.timezone
      migration: true

    - name: fields
      type: object
      object_type: keyword
      description: >
        Contains user configurable fields.

    - name: beat.name
      type: alias
      path: host.name
      migration: true

    - name: beat.hostname
      type: alias
      path: agent.name
      migration: true

    - name: timeseries.instance
      type: keyword
      description: Time series instance id
- key: cloud
  title: Cloud provider metadata
  description: >
    Metadata from cloud providers added by the add_cloud_metadata processor.
  fields:
    
    - name: cloud.image.id
      default_field: true
      example: ami-abcd1234
      description: >
        Image ID for the cloud instance.

    # Alias for old fields
    - name: meta.cloud.provider
      default_field: true
      type: alias
      path: cloud.provider
      migration: true

    - name: meta.cloud.instance_id
      default_field: true
      type: alias
      path: cloud.instance.id
      migration: true

    - name: meta.cloud.instance_name
      default_field: true
      type: alias
      path: cloud.instance.name
      migration: true

    - name: meta.cloud.machine_type
      default_field: true
      type: alias
      path: cloud.machine.type
      migration: true

    - name: meta.cloud.availability_zone
      default_field: true
      type: alias
      path: cloud.availability_zone
      migration: true

    - name: meta.cloud.project_id
      default_field: true
      type: alias
      path: cloud.project.id
      migration: true

    - name: meta.cloud.region
      default_field: true
      type: alias
      path: cloud.region
      migration: true

    
- key: docker
  title: Docker
  description: >
    Docker stats collected from Docker.
  short_config: false
  anchor: docker-processor
  fields:
    - name: docker
      default_field: true
      type: group
      fields:
        - name: container.id
          type: alias
          path: container.id
          migration: true

        - name: container.image
          type: alias
          path: container.image.name
          migration: true

        - name: container.name
          type: alias
          path: container.name
          migration: true

        - name: container.labels  # TODO: How to map these?
          type: object
          object_type: keyword
          description: >
            Image labels.
- key: host
  default_field: true
  title: Host
  description: >
    Info collected for the host machine.
  anchor: host-processor
  fields:

    # ECS fields are in fields.ecs.yml.
    # These are the non-ECS fields.
    - name: host
      default_field: true
      type: group
      fields:

        - name: containerized
          type: boolean
          description: >
            If the host is a container.

        - name: os.build
          type: keyword
          example: "18D109"
          description: >
            OS build information.

        - name: os.codename
          type: keyword
          example: "stretch"
          description: >
            OS codename, if any.
- key: kubernetes
  title: Kubernetes
  description: >
    Kubernetes metadata added by the kubernetes processor
  short_config: false
  anchor: kubernetes-processor
  fields:
    - name: kubernetes
      default_field: true
      type: group
      fields:
        - name: pod.name
          type: keyword
          description: >
            Kubernetes pod name

        - name: pod.uid
          type: keyword
          description: >
            Kubernetes Pod UID

        - name: pod.ip
          type: ip
          description: >
            Kubernetes Pod IP

        - name: namespace
          type: keyword
          description: >
            Kubernetes namespace

        - name: node.name
          type: keyword
          description: >
            Kubernetes node name

        - name: node.hostname
          type: keyword
          description: >
            Kubernetes hostname as reported by the node’s kernel

        - name: labels.*
          type: object
          object_type: keyword
          object_type_mapping_type: "*"
          description: >
            Kubernetes labels map

        - name: annotations.*
          type: object
          object_type: keyword
          object_type_mapping_type: "*"
          description: >
            Kubernetes annotations map

        - name: selectors.*
          type: object
          object_type: keyword
          object_type_mapping_type: "*"
          description: >
            Kubernetes selectors map

        - name: replicaset.name
          type: keyword
          description: >
            Kubernetes replicaset name

        - name: deployment.name
          type: keyword
          description: >
            Kubernetes deployment name

        - name: statefulset.name
          type: keyword
          description: >
            Kubernetes statefulset name

        - name: container.name
          type: keyword
          description: >
            Kubernetes container name (different than the name from the runtime)
- key: process
  title: Process
  description: >
    Process metadata fields
  fields:
    - name: process
      default_field: true
      type: group
      fields:
        - name: exe
          type: alias
          path: process.executable
          migration: true
        - name: owner
          type: group
          description: Process owner information.
          fields:
            - name: id
              type: keyword
              ignore_above: 1024
              description: Unique identifier of the user.
            - name: name
              type: keyword
              ignore_above: 1024
              multi_fields:
              - name: text
                type: text
                norms: false
              description: Short name or login of the user.
              example: albert

- key: jolokia-autodiscover
  title: Jolokia Discovery autodiscover provider
  description: >
    Metadata from Jolokia Discovery added by the jolokia provider.
  fields:
    - name: jolokia.agent.version
      default_field: true
      type: keyword
      description: >
        Version number of jolokia agent.
    - name: jolokia.agent.id
      default_field: true
      type: keyword
      description: >
        Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
    - name: jolokia.server.product
      default_field: true
      type: keyword
      description: >
        The container product if detected.
    - name: jolokia.server.version
      default_field: true
      type: keyword
      description: >
        The container's version (if detected).
    - name: jolokia.server.vendor
      default_field: true
      type: keyword
      description: >
        The vendor of the container the agent is running in.
    - name: jolokia.url
      default_field: true
      type: keyword
      description: >
        The URL how this agent can be contacted.
    - name: jolokia.secured
      default_field: true
      type: boolean
      description: >
        Whether the agent was configured for authentication or not.
- key: common
  title: Common
  description: >
    Contains common fields available in all event types.
  fields:

  - name: file
    type: group
    description: File attributes.
    fields:
    - name: setuid
      type: boolean
      example: true
      description: Set if the file has the `setuid` bit set. Omitted otherwise.

    - name: setgid
      type: boolean
      example: true
      description: Set if the file has the `setgid` bit set. Omitted otherwise.

    - name: origin
      type: keyword
      description: >
          An array of strings describing a possible external origin for
          this file. For example, the URL it was downloaded from. Only
          supported in macOS, via the kMDItemWhereFroms attribute.
          Omitted if origin information is not available.
      multi_fields:
      - name: text
        type: text
        description: >
          This is an analyzed field that is useful for full text search
          on the origin data.

    - name: selinux
      type: group
      description: The SELinux identity of the file.
      fields:
      - name: user
        type: keyword
        description: The owner of the object.
      - name: role
        type: keyword
        description: The object's SELinux role.
      - name: domain
        type: keyword
        description: The object's SELinux domain or type.
      - name: level
        type: keyword
        example: s0
        description: The object's SELinux level.

  - name: user
    type: group
    description: User information.
    fields:

    - name: audit
      type: group
      description: Audit user information.
      fields:
      - name: id
        type: keyword
        description: Audit user ID.
      - name: name
        type: keyword
        description: Audit user name.

    - name: filesystem
      type: group
      description: Filesystem user information.
      fields:
      - name: id
        type: keyword
        description: Filesystem user ID.
      - name: name
        type: keyword
        description: Filesystem user name.
      - name: group
        type: group
        description: Filesystem group information.
        fields:
        - name: id
          type: keyword
          description: Filesystem group ID.
        - name: name
          type: keyword
          description: Filesystem group name.

    - name: saved
      type: group
      description: Saved user information.
      fields:
      - name: id
        type: keyword
        description: Saved user ID.
      - name: name
        type: keyword
        description: Saved user name.
      - name: group
        type: group
        description: Saved group information.
        fields:
        - name: id
          type: keyword
          description: Saved group ID.
        - name: name
          type: keyword
          description: Saved group name.
- key: auditd
  title: Auditd
  description: These are the fields generated by the auditd module.
  fields:

  - name: user
    type: group
    fields:
    - name: auid
      type: alias
      path: user.audit.id
      migration: true
    - name: uid
      type: alias
      path: user.id
      migration: true
    - name: fsuid
      type: alias
      path: user.filesystem.id
      migration: true
    - name: suid
      type: alias
      path: user.saved.id
      migration: true
    - name: gid
      type: alias
      path: user.group.id
      migration: true
    - name: sgid
      type: alias
      path: user.saved.group.id
      migration: true
    - name: fsgid
      type: alias
      path: user.filesystem.group.id
      migration: true
    - name: name_map
      type: group
      description: >
        If `resolve_ids` is set to true in the configuration then `name_map`
        will contain a mapping of uid field names to the resolved name
        (e.g. auid -> root).
      fields:
      - name: auid
        type: alias
        path: user.audit.name
        migration: true
      - name: uid
        type: alias
        path: user.name
        migration: true
      - name: fsuid
        type: alias
        path: user.filesystem.name
        migration: true
      - name: suid
        type: alias
        path: user.saved.name
        migration: true
      - name: gid
        type: alias
        path: user.group.name
        migration: true
      - name: sgid
        type: alias
        path: user.saved.group.name
        migration: true
      - name: fsgid
        type: alias
        path: user.filesystem.group.name
        migration: true
    - name: selinux
      type: group
      description: The SELinux identity of the actor.
      fields:
      - name: user
        type: keyword
        description: account submitted for authentication
      - name: role
        type: keyword
        description: user's SELinux role
      - name: domain
        type: keyword
        description: The actor's SELinux domain or type.
      - name: level
        type: keyword
        example: s0
        description: The actor's SELinux level.
      - name: category
        type: keyword
        description: The actor's SELinux category or compartments.

  - name: process
    type: group
    description: Process attributes.
    fields:
    - name: cwd
      type: alias
      path: process.working_directory
      migration: true
      description: The current working directory.

  - name: source
    type: group
    description: Source that triggered the event.
    fields:
    - name: path
      type: keyword
      description: This is the path associated with a unix socket.

  - name: destination
    type: group
    description: Destination address that triggered the event.
    fields:
    - name: path
      type: keyword
      description: This is the path associated with a unix socket.

  - name: auditd
    type: group
    fields:
    - name: message_type
      type: keyword
      example: syscall
      description: >
        The audit message type (e.g. syscall or apparmor_denied).
    - name: sequence
      type: long
      description: >
        The sequence number of the event as assigned by the kernel. Sequence
        numbers are stored as a uint32 in the kernel and can rollover.
    - name: session
      type: keyword
      description: >
        The session ID assigned to a login. All events related to a login
        session will have the same value.
    - name: result
      type: keyword
      example: success or fail
      description: The result of the audited operation (success/fail).

    - name: summary
      type: group
      fields:
      - name: actor
        type: group
        description: The actor is the user that triggered the audit event.
        fields:
        - name: primary
          type: keyword
          description: >
            The primary identity of the actor. This is the actor's original login
            ID. It will not change even if the user changes to another account.
        - name: secondary
          type: keyword
          description: The secondary identity of the actor. This is typically
            the same as the primary, except for when the user has used `su`.
      - name: object
        type: group
        description: >
          This is the thing or object being acted upon in the event.
        fields:
        - name: type
          type: keyword
          description: >
            A description of the what the "thing" is (e.g. file, socket,
            user-session).
        - name: primary
          type: keyword
          description: ""
        - name: secondary
          type: keyword
          description: ""
      - name: how
        type: keyword
        description: >
          This describes how the action was performed. Usually this is the exe
          or command that was being executed that triggered the event.

    - name: paths
      type: group
      description: List of paths associated with the event.
      fields:
      - name: inode
        type: keyword
        description: inode number
      - name: dev
        type: keyword
        description: device name as found in /dev
      - name: obj_user
        type: keyword
        description: ""
      - name: obj_role
        type: keyword
        description: ""
      - name: obj_domain
        type: keyword
        description: ""
      - name: obj_level
        type: keyword
        description: ""
      - name: objtype
        type: keyword
        description: ""
      - name: ouid
        type: keyword
        description: file owner user ID
      - name: rdev
        type: keyword
        description: the device identifier (special files only)
      - name: nametype
        type: keyword
        description: kind of file operation being referenced
      - name: ogid
        type: keyword
        description: file owner group ID
      - name: item
        type: keyword
        description: which item is being recorded
      - name: mode
        type: keyword
        description: mode flags on a file
      - name: name
        type: keyword
        description: file name in avcs

    - name: data
      type: group
      description: The data from the audit messages.
      fields:
      - name: action
        type: keyword
        description: netfilter packet disposition
      - name: minor
        type: keyword
        description: device minor number
      - name: acct
        type: keyword
        description: a user's account name
      - name: addr
        type: keyword
        description: the remote address that the user is connecting from
      - name: cipher
        type: keyword
        description: name of crypto cipher selected
      - name: id
        type: keyword
        description: during account changes
      - name: entries
        type: keyword
        description: number of entries in the netfilter table
      - name: kind
        type: keyword
        description: server or client in crypto operation
      - name: ksize
        type: keyword
        description: key size for crypto operation
      - name: spid
        type: keyword
        description: sent process ID
      - name: arch
        type: keyword
        description: the elf architecture flags
      - name: argc
        type: keyword
        description: the number of arguments to an execve syscall
      - name: major
        type: keyword
        description: device major number
      - name: unit
        type: keyword
        description: systemd unit
      - name: table
        type: keyword
        description: netfilter table name
      - name: terminal
        type: keyword
        description: terminal name the user is running programs on
      - name: grantors
        type: keyword
        description: pam modules approving the action
      - name: direction
        type: keyword
        description: direction of crypto operation
      - name: op
        type: keyword
        description: the operation being performed that is audited
      - name: tty
        type: keyword
        description: tty udevice the user is running programs on
      - name: syscall
        type: keyword
        description: syscall number in effect when the event occurred
      - name: data
        type: keyword
        description: TTY text
      - name: family
        type: keyword
        description: netfilter protocol
      - name: mac
        type: keyword
        description: crypto MAC algorithm selected
      - name: pfs
        type: keyword
        description: perfect forward secrecy method
      - name: items
        type: keyword
        description: the number of path records in the event
      - name: a0
        type: keyword
        description: ""
      - name: a1
        type: keyword
        description: ""
      - name: a2
        type: keyword
        description: ""
      - name: a3
        type: keyword
        description: ""
      - name: hostname
        type: keyword
        description: the hostname that the user is connecting from
      - name: lport
        type: keyword
        description: local network port
      - name: rport
        type: keyword
        description: remote port number
      - name: exit
        type: keyword
        description: syscall exit code
      - name: fp
        type: keyword
        description: crypto key finger print
      - name: laddr
        type: keyword
        description: local network address
      - name: sport
        type: keyword
        description: local port number
      - name: capability
        type: keyword
        description: posix capabilities
      - name: nargs
        type: keyword
        description: the number of arguments to a socket call
      - name: new-enabled
        type: keyword
        description: new TTY audit enabled setting
      - name: audit_backlog_limit
        type: keyword
        description: audit system's backlog queue size
      - name: dir
        type: keyword
        description: directory name
      - name: cap_pe
        type: keyword
        description: process effective capability map
      - name: model
        type: keyword
        description: security model being used for virt
      - name: new_pp
        type: keyword
        description: new process permitted capability map
      - name: old-enabled
        type: keyword
        description: present TTY audit enabled setting
      - name: oauid
        type: keyword
        description: object's login user ID
      - name: old
        type: keyword
        description: old value
      - name: banners
        type: keyword
        description: banners used on printed page
      - name: feature
        type: keyword
        description: kernel feature being changed
      - name: vm-ctx
        type: keyword
        description: the vm's context string
      - name: opid
        type: keyword
        description: object's process ID
      - name: seperms
        type: keyword
        description: SELinux permissions being used
      - name: seresult
        type: keyword
        description: SELinux AVC decision granted/denied
      - name: new-rng
        type: keyword
        description: device name of rng being added from a vm
      - name: old-net
        type: keyword
        description: present MAC address assigned to vm
      - name: sigev_signo
        type: keyword
        description: signal number
      - name: ino
        type: keyword
        description: inode number
      - name: old_enforcing
        type: keyword
        description: old MAC enforcement status
      - name: old-vcpu
        type: keyword
        description: present number of CPU cores
      - name: range
        type: keyword
        description: user's SE Linux range
      - name: res
        type: keyword
        description: result of the audited operation(success/fail)
      - name: added
        type: keyword
        description: number of new files detected
      - name: fam
        type: keyword
        description: socket address family
      - name: nlnk-pid
        type: keyword
        description: pid of netlink packet sender
      - name: subj
        type: keyword
        description: lspp subject's context string
      - name: a[0-3]
        type: keyword
        description: the arguments to a syscall
      - name: cgroup
        type: keyword
        description: path to cgroup in sysfs
      - name: kernel
        type: keyword
        description: kernel's version number
      - name: ocomm
        type: keyword
        description: object's command line name
      - name: new-net
        type: keyword
        description: MAC address being assigned to vm
      - name: permissive
        type: keyword
        description: SELinux is in permissive mode
      - name: class
        type: keyword
        description: resource class assigned to vm
      - name: compat
        type: keyword
        description: is_compat_task result
      - name: fi
        type: keyword
        description: file assigned inherited capability map
      - name: changed
        type: keyword
        description: number of changed files
      - name: msg
        type: keyword
        description: the payload of the audit record
      - name: dport
        type: keyword
        description: remote port number
      - name: new-seuser
        type: keyword
        description: new SELinux user
      - name: invalid_context
        type: keyword
        description: SELinux context
      - name: dmac
        type: keyword
        description: remote MAC address
      - name: ipx-net
        type: keyword
        description: IPX network number
      - name: iuid
        type: keyword
        description: ipc object's user ID
      - name: macproto
        type: keyword
        description: ethernet packet type ID field
      - name: obj
        type: keyword
        description: lspp object context string
      - name: ipid
        type: keyword
        description: IP datagram fragment identifier
      - name: new-fs
        type: keyword
        description: file system being added to vm
      - name: vm-pid
        type: keyword
        description: vm's process ID
      - name: cap_pi
        type: keyword
        description: process inherited capability map
      - name: old-auid
        type: keyword
        description: previous auid value
      - name: oses
        type: keyword
        description: object's session ID
      - name: fd
        type: keyword
        description: file descriptor number
      - name: igid
        type: keyword
        description: ipc object's group ID
      - name: new-disk
        type: keyword
        description: disk being added to vm
      - name: parent
        type: keyword
        description: the inode number of the parent file
      - name: len
        type: keyword
        description: length
      - name: oflag
        type: keyword
        description: open syscall flags
      - name: uuid
        type: keyword
        description: a UUID
      - name: code
        type: keyword
        description: seccomp action code
      - name: nlnk-grp
        type: keyword
        description: netlink group number
      - name: cap_fp
        type: keyword
        description: file permitted capability map
      - name: new-mem
        type: keyword
        description: new amount of memory in KB
      - name: seperm
        type: keyword
        description: SELinux permission being decided on
      - name: enforcing
        type: keyword
        description: new MAC enforcement status
      - name: new-chardev
        type: keyword
        description: new character device being assigned to vm
      - name: old-rng
        type: keyword
        description: device name of rng being removed from a vm
      - name: outif
        type: keyword
        description: out interface number
      - name: cmd
        type: keyword
        description: command being executed
      - name: hook
        type: keyword
        description: netfilter hook that packet came from
      - name: new-level
        type: keyword
        description: new run level
      - name: sauid
        type: keyword
        description: sent login user ID
      - name: sig
        type: keyword
        description: signal number
      - name: audit_backlog_wait_time
        type: keyword
        description: audit system's backlog wait time
      - name: printer
        type: keyword
        description: printer name
      - name: old-mem
        type: keyword
        description: present amount of memory in KB
      - name: perm
        type: keyword
        description: the file permission being used
      - name: old_pi
        type: keyword
        description: old process inherited capability map
      - name: state
        type: keyword
        description: audit daemon configuration resulting state
      - name: format
        type: keyword
        description: audit log's format
      - name: new_gid
        type: keyword
        description: new group ID being assigned
      - name: tcontext
        type: keyword
        description: the target's or object's context string
      - name: maj
        type: keyword
        description: device major number
      - name: watch
        type: keyword
        description: file name in a watch record
      - name: device
        type: keyword
        description: device name
      - name: grp
        type: keyword
        description: group name
      - name: bool
        type: keyword
        description: name of SELinux boolean
      - name: icmp_type
        type: keyword
        description: type of icmp message
      - name: new_lock
        type: keyword
        description: new value of feature lock
      - name: old_prom
        type: keyword
        description: network promiscuity flag
      - name: acl
        type: keyword
        description: access mode of resource assigned to vm
      - name: ip
        type: keyword
        description: network address of a printer
      - name: new_pi
        type: keyword
        description: new process inherited capability map
      - name: default-context
        type: keyword
        description: default MAC context
      - name: inode_gid
        type: keyword
        description: group ID of the inode's owner
      - name: new-log_passwd
        type: keyword
        description: new value for TTY password logging
      - name: new_pe
        type: keyword
        description: new process effective capability map
      - name: selected-context
        type: keyword
        description: new MAC context assigned to session
      - name: cap_fver
        type: keyword
        description: file system capabilities version number
      - name: file
        type: keyword
        description: file name
      - name: net
        type: keyword
        description: network MAC address
      - name: virt
        type: keyword
        description: kind of virtualization being referenced
      - name: cap_pp
        type: keyword
        description: process permitted capability map
      - name: old-range
        type: keyword
        description: present SELinux range
      - name: resrc
        type: keyword
        description: resource being assigned
      - name: new-range
        type: keyword
        description: new SELinux range
      - name: obj_gid
        type: keyword
        description: group ID of object
      - name: proto
        type: keyword
        description: network protocol
      - name: old-disk
        type: keyword
        description: disk being removed from vm
      - name: audit_failure
        type: keyword
        description: audit system's failure mode
      - name: inif
        type: keyword
        description: in interface number
      - name: vm
        type: keyword
        description: virtual machine name
      - name: flags
        type: keyword
        description: mmap syscall flags
      - name: nlnk-fam
        type: keyword
        description: netlink protocol number
      - name: old-fs
        type: keyword
        description: file system being removed from vm
      - name: old-ses
        type: keyword
        description: previous ses value
      - name: seqno
        type: keyword
        description: sequence number
      - name: fver
        type: keyword
        description: file system capabilities version number
      - name: qbytes
        type: keyword
        description: ipc objects quantity of bytes
      - name: seuser
        type: keyword
        description: user's SE Linux user acct
      - name: cap_fe
        type: keyword
        description: file assigned effective capability map
      - name: new-vcpu
        type: keyword
        description: new number of CPU cores
      - name: old-level
        type: keyword
        description: old run level
      - name: old_pp
        type: keyword
        description: old process permitted capability map
      - name: daddr
        type: keyword
        description: remote IP address
      - name: old-role
        type: keyword
        description: present SELinux role
      - name: ioctlcmd
        type: keyword
        description: The request argument to the ioctl syscall
      - name: smac
        type: keyword
        description: local MAC address
      - name: apparmor
        type: keyword
        description: apparmor event information
      - name: fe
        type: keyword
        description: file assigned effective capability map
      - name: perm_mask
        type: keyword
        description: file permission mask that triggered a watch event
      - name: ses
        type: keyword
        description: login session ID
      - name: cap_fi
        type: keyword
        description: file inherited capability map
      - name: obj_uid
        type: keyword
        description: user ID of object
      - name: reason
        type: keyword
        description: text string denoting a reason for the action
      - name: list
        type: keyword
        description: the audit system's filter list number
      - name: old_lock
        type: keyword
        description: present value of feature lock
      - name: bus
        type: keyword
        description: name of subsystem bus a vm resource belongs to
      - name: old_pe
        type: keyword
        description: old process effective capability map
      - name: new-role
        type: keyword
        description: new SELinux role
      - name: prom
        type: keyword
        description: network promiscuity flag
      - name: uri
        type: keyword
        description: URI pointing to a printer
      - name: audit_enabled
        type: keyword
        description: audit systems's enable/disable status
      - name: old-log_passwd
        type: keyword
        description: present value for TTY password logging
      - name: old-seuser
        type: keyword
        description: present SELinux user
      - name: per
        type: keyword
        description: linux personality
      - name: scontext
        type: keyword
        description: the subject's context string
      - name: tclass
        type: keyword
        description: target's object classification
      - name: ver
        type: keyword
        description: audit daemon's version number
      - name: new
        type: keyword
        description: value being set in feature
      - name: val
        type: keyword
        description: generic value associated with the operation
      - name: img-ctx
        type: keyword
        description: the vm's disk image context string
      - name: old-chardev
        type: keyword
        description: present character device assigned to vm
      - name: old_val
        type: keyword
        description: current value of SELinux boolean
      - name: success
        type: keyword
        description: whether the syscall was successful or not
      - name: inode_uid
        type: keyword
        description: user ID of the inode's owner
      - name: removed
        type: keyword
        description: number of deleted files
      - name: socket
        type: group
        fields:
        - name: port
          type: keyword
          description: The port number.
        - name: saddr
          type: keyword
          description: The raw socket address structure.
        - name: addr
          type: keyword
          description: The remote address.
        - name: family
          type: keyword
          example: unix
          description: The socket family (unix, ipv4, ipv6, netlink).
        - name: path
          type: keyword
          description: This is the path associated with a unix socket.

    - name: messages
      type: alias
      migration: true
      path: event.original
      description: >
        An ordered list of the raw messages received from the kernel that
        were used to construct this document. This field is present if an error
        occurred processing the data or if `include_raw_message` is set
        in the config.
    - name: warnings
      type: alias
      migration: true
      path: error.message
      description: >
        The warnings generated by the Beat during the construction of the event.
        These are disabled by default and are used for development and debug
        purposes only.

  - name: geoip
    type: group
    description: >
      The geoip fields are defined as a convenience in case you decide to
      enrich the data using a geoip filter in Logstash or an Elasticsearch geoip
      ingest processor.
    fields:
      - name: continent_name
        type: keyword
        description: >
          The name of the continent.
      - name: city_name
        type: keyword
        description: >
          The name of the city.
      - name: region_name
        type: keyword
        description: >
          The name of the region.
      - name: country_iso_code
        type: keyword
        description: >
          Country ISO code.
      - name: location
        type: geo_point
        description: >
          The longitude and latitude.
- key: file_integrity
  title: File Integrity
  description: These are the fields generated by the file_integrity module.
  fields:
  - name: hash
    type: group
    description: >
      Hashes of the file. The keys are algorithm names and the values are
      the hex encoded digest values.

    fields:
    - name: blake2b_256
      type: keyword
      description: BLAKE2b-256 hash of the file.

    - name: blake2b_384
      type: keyword
      description: BLAKE2b-384 hash of the file.

    - name: blake2b_512
      type: keyword
      description: BLAKE2b-512 hash of the file.

    - name: md5
      overwrite: true
      type: keyword
      description: MD5 hash of the file.

    - name: sha1
      overwrite: true
      type: keyword
      description: SHA1 hash of the file.

    - name: sha224
      type: keyword
      description: SHA224 hash of the file.

    - name: sha256
      overwrite: true
      type: keyword
      description: SHA256 hash of the file.

    - name: sha384
      type: keyword
      description: SHA384 hash of the file.

    - name: sha3_224
      type: keyword
      description: SHA3_224 hash of the file.

    - name: sha3_256
      type: keyword
      description: SHA3_256 hash of the file.

    - name: sha3_384
      type: keyword
      description: SHA3_384 hash of the file.

    - name: sha3_512
      type: keyword
      description: SHA3_512 hash of the file.

    - name: sha512
      overwrite: true
      type: keyword
      description: SHA512 hash of the file.

    - name: sha512_224
      type: keyword
      description: SHA512/224 hash of the file.

    - name: sha512_256
      type: keyword
      description: SHA512/256 hash of the file.

    - name: xxh64
      type: keyword
      description: XX64 hash of the file.
- key: system
  title: "System"
  description: >
    These are the fields generated by the system module.
  release: beta
  fields:

  - name: event
    type: group
    fields:
    - name: origin
      type: keyword
      description: >
        Origin of the event. This can be a file path (e.g. `/var/log/log.1`),
        or the name of the system component that supplied the data (e.g. `netlink`).

  - name: user
    type: group
    fields:
    - name: entity_id
      type: keyword
      description: >
        ID uniquely identifying the user on a host. It is computed as a SHA-256 hash
        of the host ID, user ID, and user name.
    - name: terminal
      type: keyword
      description: >
        Terminal of the user.

  - name: process
    type: group
    fields:
    - name: hash
      type: group
      description: >
        Hashes of the executable. The keys are algorithm names and the values are
        the hex encoded digest values.

      fields:
      - name: blake2b_256
        type: keyword
        description: BLAKE2b-256 hash of the executable.

      - name: blake2b_384
        type: keyword
        description: BLAKE2b-384 hash of the executable.

      - name: blake2b_512
        type: keyword
        description: BLAKE2b-512 hash of the executable.

      - name: sha224
        type: keyword
        description: SHA224 hash of the executable.

      - name: sha384
        type: keyword
        description: SHA384 hash of the executable.

      - name: sha3_224
        type: keyword
        description: SHA3_224 hash of the executable.

      - name: sha3_256
        type: keyword
        description: SHA3_256 hash of the executable.

      - name: sha3_384
        type: keyword
        description: SHA3_384 hash of the executable.

      - name: sha3_512
        type: keyword
        description: SHA3_512 hash of the executable.

      - name: sha512_224
        type: keyword
        description: SHA512/224 hash of the executable.

      - name: sha512_256
        type: keyword
        description: SHA512/256 hash of the executable.

      - name: xxh64
        type: keyword
        description: XX64 hash of the executable.

  - name: system.audit
    type: group
    description: >
    fields:
        - name: host
          type: group
          description: >
            `host` contains general host information.
          release: beta
          fields:
          - name: uptime
            type: long
            format: duration
            input_format: nanoseconds
            output_format: asDays
            output_precision: 1
            description: >
                Uptime in nanoseconds.
          - name: boottime
            type: date
            description: >
                Boot time.
          - name: containerized
            type: boolean
            description: >
                Set if host is a container.
          - name: timezone.name
            type: keyword
            description: >
                Name of the timezone of the host, e.g. BST.
          - name: timezone.offset.sec
            type: long
            description: >
                Timezone offset in seconds.
          - name: hostname
            type: keyword
            description: >
                Hostname.
          - name: id
            type: keyword
            description: >
                Host ID.
          - name: architecture
            type: keyword
            description: >
                Host architecture (e.g. x86_64).
          - name: mac
            type: keyword
            description: >
                MAC addresses.
          - name: ip
            type: ip
            description: >
                IP addresses.
          - name: os
            type: group
            description: >
              `os` contains information about the operating system.
            fields:
            - name: codename
              type: keyword
              description: >
                OS codename, if any (e.g. stretch).
            - name: platform
              type: keyword
              description: >
                OS platform (e.g. centos, ubuntu, windows).
            - name: name
              type: keyword
              description: >
                OS name (e.g. Mac OS X).
            - name: family
              type: keyword
              description: >
                OS family (e.g. redhat, debian, freebsd, windows).
            - name: version
              type: keyword
              description: >
                OS version.
            - name: kernel
              type: keyword
              description: >
                The operating system's kernel version.
            - name: type
              type: keyword
              description: >
                OS type (see ECS os.type).
        - name: package
          type: group
          description: >
            `package` contains information about an installed or removed package.
          release: beta
          fields:
          - name: entity_id
            type: keyword
            description: >
              ID uniquely identifying the package. It is computed as a SHA-256 hash of the
                host ID, package name, and package version.
          - name: name
            type: keyword
            description: >
              Package name.
          - name: version
            type: keyword
            description: >
              Package version.
          - name: release
            type: keyword
            description: >
              Package release.
          - name: arch
            type: keyword
            description: >
              Package architecture.
          - name: license
            type: keyword
            description: >
              Package license.
          - name: installtime
            type: date
            description: >
              Package install time.
          - name: size
            type: long
            description: >
              Package size.
          - name: summary
            description: >
              Package summary.
          - name: url
            type: keyword
            description: >
              Package URL.
        - name: user
          type: group
          description: >
            `user` contains information about the users on a system.
          release: beta
          fields:
            - name: name
              type: keyword
              description: >
                  User name.
            - name: uid
              type: keyword
              description: >
                  User ID.
            - name: gid
              type: keyword
              description: >
                  Group ID.
            - name: dir
              type: keyword
              description: >
                  User's home directory.
            - name: shell
              type: keyword
              description: >
                  Program to run at login.
            - name: user_information
              type: keyword
              description: >
                  General user information. On Linux, this is the gecos field.
            - name: group
              type: object
              description: >
                `group` contains information about any groups the user is part of (beyond the user's primary group).
              fields:
                - name: name
                  type: keyword
                  description: >
                      Group name.
                - name: gid
                  type: integer
                  description: >
                      Group ID.
            - name: password
              type: group
              description: >
                `password` contains information about a user's password (not the password itself).
              fields:
                - name: type
                  type: keyword
                  description: >
                      A user's password type. Possible values are `shadow_password`
                      (the password hash is in the shadow file), `password_disabled`,
                      `no_password` (this is dangerous as anyone can log in), and
                      `crypt_password` (when the password field in /etc/passwd seems
                      to contain an encrypted password).
                - name: last_changed
                  type: date
                  description: >
                      The day the user's password was last changed.