PNG  IHDRQgAMA a cHRMz&u0`:pQ<bKGDgmIDATxwUﹻ& ^CX(J I@ "% (** BX +*i"]j(IH{~R)[~>h{}gy)I$Ij .I$I$ʊy@}x.: $I$Ii}VZPC)I$IF ^0ʐJ$I$Q^}{"r=OzI$gRZeC.IOvH eKX $IMpxsk.쒷/&r[޳<v| .I~)@$updYRa$I |M.e JaֶpSYR6j>h%IRز if&uJ)M$I vLi=H;7UJ,],X$I1AҒJ$ XY XzI@GNҥRT)E@;]K*Mw;#5_wOn~\ DC&$(A5 RRFkvIR}l!RytRl;~^ǷJj اy뷦BZJr&ӥ8Pjw~vnv X^(I;4R=P[3]J,]ȏ~:3?[ a&e)`e*P[4]T=Cq6R[ ~ޤrXR Հg(t_HZ-Hg M$ãmL5R uk*`%C-E6/%[t X.{8P9Z.vkXŐKjgKZHg(aK9ڦmKjѺm_ \#$5,)-  61eJ,5m| r'= &ڡd%-]J on Xm|{ RҞe $eڧY XYrԮ-a7RK6h>n$5AVڴi*ֆK)mѦtmr1p| q:흺,)Oi*ֺK)ܬ֦K-5r3>0ԔHjJئEZj,%re~/z%jVMڸmrt)3]J,T K֦OvԒgii*bKiNO~%PW0=dii2tJ9Jݕ{7"I P9JKTbu,%r"6RKU}Ij2HKZXJ,妝 XYrP ެ24c%i^IK|.H,%rb:XRl1X4Pe/`x&P8Pj28Mzsx2r\zRPz4J}yP[g=L) .Q[6RjWgp FIH*-`IMRaK9TXcq*I y[jE>cw%gLRԕiFCj-ďa`#e~I j,%r,)?[gp FI˨mnWX#>mʔ XA DZf9,nKҲzIZXJ,L#kiPz4JZF,I,`61%2s $,VOϚ2/UFJfy7K> X+6 STXIeJILzMfKm LRaK9%|4p9LwJI!`NsiazĔ)%- XMq>pk$-$Q2x#N ؎-QR}ᶦHZډ)J,l#i@yn3LN`;nڔ XuX5pF)m|^0(>BHF9(cզEerJI rg7 4I@z0\JIi䵙RR0s;$s6eJ,`n 䂦0a)S)A 1eJ,堌#635RIgpNHuTH_SԕqVe ` &S)>p;S$魁eKIuX`I4춒o}`m$1":PI<[v9^\pTJjriRŭ P{#{R2,`)e-`mgj~1ϣLKam7&U\j/3mJ,`F;M'䱀 .KR#)yhTq;pcK9(q!w?uRR,n.yw*UXj#\]ɱ(qv2=RqfB#iJmmL<]Y͙#$5 uTU7ӦXR+q,`I}qL'`6Kͷ6r,]0S$- [RKR3oiRE|nӦXR.(i:LDLTJjY%o:)6rxzҒqTJjh㞦I.$YR.ʼnGZ\ֿf:%55 I˼!6dKxm4E"mG_ s? .e*?LRfK9%q#uh$)i3ULRfK9yxm܌bj84$i1U^@Wbm4uJ,ҪA>_Ij?1v32[gLRD96oTaR׿N7%L2 NT,`)7&ƝL*꽙yp_$M2#AS,`)7$rkTA29_Iye"|/0t)$n XT2`YJ;6Jx".e<`$) PI$5V4]29SRI>~=@j]lp2`K9Jaai^" Ԋ29ORI%:XV5]JmN9]H;1UC39NI%Xe78t)a;Oi Ҙ>Xt"~G>_mn:%|~ޅ_+]$o)@ǀ{hgN;IK6G&rp)T2i୦KJuv*T=TOSV>(~D>dm,I*Ɛ:R#ۙNI%D>G.n$o;+#RR!.eU˽TRI28t)1LWϚ>IJa3oFbu&:tJ*(F7y0ZR ^p'Ii L24x| XRI%ۄ>S1]Jy[zL$adB7.eh4%%누>WETf+3IR:I3Xה)3אOۦSRO'ٺ)S}"qOr[B7ϙ.edG)^ETR"RtRݜh0}LFVӦDB^k_JDj\=LS(Iv─aTeZ%eUAM-0;~˃@i|l @S4y72>sX-vA}ϛBI!ݎߨWl*)3{'Y|iSlEڻ(5KtSI$Uv02,~ԩ~x;P4ցCrO%tyn425:KMlD ^4JRxSهF_}شJTS6uj+ﷸk$eZO%G*^V2u3EMj3k%)okI]dT)URKDS 7~m@TJR~荪fT"֛L \sM -0T KfJz+nإKr L&j()[E&I ߴ>e FW_kJR|!O:5/2跌3T-'|zX ryp0JS ~^F>-2< `*%ZFP)bSn"L :)+pʷf(pO3TMW$~>@~ū:TAIsV1}S2<%ޟM?@iT ,Eūoz%i~g|`wS(]oȤ8)$ ntu`өe`6yPl IzMI{ʣzʨ )IZ2= ld:5+請M$-ї;U>_gsY$ÁN5WzWfIZ)-yuXIfp~S*IZdt;t>KūKR|$#LcԀ+2\;kJ`]YǔM1B)UbG"IRߊ<xܾӔJ0Z='Y嵤 Leveg)$znV-º^3Ւof#0Tfk^Zs[*I꯳3{)ˬW4Ւ4 OdpbZRS|*I 55#"&-IvT&/윚Ye:i$ 9{LkuRe[I~_\ؠ%>GL$iY8 9ܕ"S`kS.IlC;Ҏ4x&>u_0JLr<J2(^$5L s=MgV ~,Iju> 7r2)^=G$1:3G< `J3~&IR% 6Tx/rIj3O< ʔ&#f_yXJiގNSz; Tx(i8%#4 ~AS+IjerIUrIj362v885+IjAhK__5X%nV%Iͳ-y|7XV2v4fzo_68"S/I-qbf; LkF)KSM$ Ms>K WNV}^`-큧32ŒVؙGdu,^^m%6~Nn&͓3ŒVZMsRpfEW%IwdǀLm[7W&bIRL@Q|)* i ImsIMmKmyV`i$G+R 0tV'!V)֏28vU7͒vHꦼtxꗞT ;S}7Mf+fIRHNZUkUx5SAJㄌ9MqμAIRi|j5)o*^'<$TwI1hEU^c_j?Е$%d`z cyf,XO IJnTgA UXRD }{H}^S,P5V2\Xx`pZ|Yk:$e ~ @nWL.j+ϝYb퇪bZ BVu)u/IJ_ 1[p.p60bC >|X91P:N\!5qUB}5a5ja `ubcVxYt1N0Zzl4]7­gKj]?4ϻ *[bg$)+À*x쳀ogO$~,5 زUS9 lq3+5mgw@np1sso Ӻ=|N6 /g(Wv7U;zωM=wk,0uTg_`_P`uz?2yI!b`kĸSo+Qx%!\οe|އԁKS-s6pu_(ֿ$i++T8=eY; צP+phxWQv*|p1. ά. XRkIQYP,drZ | B%wP|S5`~́@i޾ E;Չaw{o'Q?%iL{u D?N1BD!owPHReFZ* k_-~{E9b-~P`fE{AܶBJAFO wx6Rox5 K5=WwehS8 (JClJ~ p+Fi;ŗo+:bD#g(C"wA^ r.F8L;dzdIHUX݆ϞXg )IFqem%I4dj&ppT{'{HOx( Rk6^C٫O.)3:s(۳(Z?~ٻ89zmT"PLtw䥈5&b<8GZ-Y&K?e8,`I6e(֍xb83 `rzXj)F=l($Ij 2*(F?h(/9ik:I`m#p3MgLaKjc/U#n5S# m(^)=y=đx8ŬI[U]~SцA4p$-F i(R,7Cx;X=cI>{Km\ o(Tv2vx2qiiDJN,Ҏ!1f 5quBj1!8 rDFd(!WQl,gSkL1Bxg''՞^ǘ;pQ P(c_ IRujg(Wz bs#P­rz> k c&nB=q+ؔXn#r5)co*Ũ+G?7< |PQӣ'G`uOd>%Mctz# Ԫڞ&7CaQ~N'-P.W`Oedp03C!IZcIAMPUۀ5J<\u~+{9(FbbyAeBhOSܳ1 bÈT#ŠyDžs,`5}DC-`̞%r&ڙa87QWWp6e7 Rϫ/oY ꇅ Nܶըtc!LA T7V4Jsū I-0Pxz7QNF_iZgúWkG83 0eWr9 X]㾮݁#Jˢ C}0=3ݱtBi]_ &{{[/o[~ \q鯜00٩|cD3=4B_b RYb$óBRsf&lLX#M*C_L܄:gx)WΘsGSbuL rF$9';\4Ɍq'n[%p.Q`u hNb`eCQyQ|l_C>Lb꟟3hSb #xNxSs^ 88|Mz)}:](vbۢamŖ࿥ 0)Q7@0=?^k(*J}3ibkFn HjB׻NO z x}7p 0tfDX.lwgȔhԾŲ }6g E |LkLZteu+=q\Iv0쮑)QٵpH8/2?Σo>Jvppho~f>%bMM}\//":PTc(v9v!gոQ )UfVG+! 35{=x\2+ki,y$~A1iC6#)vC5^>+gǵ@1Hy٪7u;p psϰu/S <aʸGu'tD1ԝI<pg|6j'p:tպhX{o(7v],*}6a_ wXRk,O]Lܳ~Vo45rp"N5k;m{rZbΦ${#)`(Ŵg,;j%6j.pyYT?}-kBDc3qA`NWQū20/^AZW%NQ MI.X#P#,^Ebc&?XR tAV|Y.1!؅⨉ccww>ivl(JT~ u`ٵDm q)+Ri x/x8cyFO!/*!/&,7<.N,YDŽ&ܑQF1Bz)FPʛ?5d 6`kQձ λc؎%582Y&nD_$Je4>a?! ͨ|ȎWZSsv8 j(I&yj Jb5m?HWp=g}G3#|I,5v珿] H~R3@B[☉9Ox~oMy=J;xUVoj bUsl_35t-(ՃɼRB7U!qc+x4H_Qo֮$[GO<4`&č\GOc[.[*Af%mG/ ňM/r W/Nw~B1U3J?P&Y )`ѓZ1p]^l“W#)lWZilUQu`-m|xĐ,_ƪ|9i:_{*(3Gѧ}UoD+>m_?VPۅ15&}2|/pIOʵ> GZ9cmíتmnz)yߐbD >e}:) r|@R5qVSA10C%E_'^8cR7O;6[eKePGϦX7jb}OTGO^jn*媓7nGMC t,k31Rb (vyܴʭ!iTh8~ZYZp(qsRL ?b}cŨʊGO^!rPJO15MJ[c&~Z`"ѓޔH1C&^|Ш|rʼ,AwĴ?b5)tLU)F| &g٣O]oqSUjy(x<Ϳ3 .FSkoYg2 \_#wj{u'rQ>o;%n|F*O_L"e9umDds?.fuuQbIWz |4\0 sb;OvxOSs; G%T4gFRurj(֍ڑb uԖKDu1MK{1^ q; C=6\8FR艇!%\YÔU| 88m)֓NcLve C6z;o&X x59:q61Z(T7>C?gcļxѐ Z oo-08jہ x,`' ҔOcRlf~`jj".Nv+sM_]Zk g( UOPyεx%pUh2(@il0ݽQXxppx-NS( WO+轾 nFߢ3M<;z)FBZjciu/QoF 7R¥ ZFLF~#ȣߨ^<쩡ݛкvџ))ME>ώx4m#!-m!L;vv#~Y[đKmx9.[,UFS CVkZ +ߟrY٧IZd/ioi$%͝ب_ֶX3ܫhNU ZZgk=]=bbJS[wjU()*I =ώ:}-蹞lUj:1}MWm=̛ _ ¾,8{__m{_PVK^n3esw5ӫh#$-q=A̟> ,^I}P^J$qY~Q[ Xq9{#&T.^GVj__RKpn,b=`żY@^՝;z{paVKkQXj/)y TIc&F;FBG7wg ZZDG!x r_tƢ!}i/V=M/#nB8 XxЫ ^@CR<{䤭YCN)eKOSƟa $&g[i3.C6xrOc8TI;o hH6P&L{@q6[ Gzp^71j(l`J}]e6X☉#͕ ׈$AB1Vjh㭦IRsqFBjwQ_7Xk>y"N=MB0 ,C #o6MRc0|$)ف"1!ixY<B9mx `,tA>)5ػQ?jQ?cn>YZe Tisvh# GMމȇp:ԴVuږ8ɼH]C.5C!UV;F`mbBk LTMvPʍϤj?ԯ/Qr1NB`9s"s TYsz &9S%U԰> {<ؿSMxB|H\3@!U| k']$U+> |HHMLޢ?V9iD!-@x TIî%6Z*9X@HMW#?nN ,oe6?tQwڱ.]-y':mW0#!J82qFjH -`ѓ&M0u Uγmxϵ^-_\])@0Rt.8/?ٰCY]x}=sD3ojަЫNuS%U}ԤwHH>ڗjܷ_3gN q7[q2la*ArǓԖ+p8/RGM ]jacd(JhWko6ڎbj]i5Bj3+3!\j1UZLsLTv8HHmup<>gKMJj0@H%,W΃7R) ">c, xixј^ aܖ>H[i.UIHc U1=yW\=S*GR~)AF=`&2h`DzT󑓶J+?W+}C%P:|0H܆}-<;OC[~o.$~i}~HQ TvXΈr=b}$vizL4:ȰT|4~*!oXQR6Lk+#t/g lԁߖ[Jڶ_N$k*". xsxX7jRVbAAʯKҎU3)zSNN _'s?f)6X!%ssAkʱ>qƷb hg %n ~p1REGMHH=BJiy[<5 ǁJҖgKR*倳e~HUy)Ag,K)`Vw6bRR:qL#\rclK/$sh*$ 6덤 KԖc 3Z9=Ɣ=o>X Ώ"1 )a`SJJ6k(<c e{%kϊP+SL'TcMJWRm ŏ"w)qc ef꒵i?b7b('"2r%~HUS1\<(`1Wx9=8HY9m:X18bgD1u ~|H;K-Uep,, C1 RV.MR5άh,tWO8WC$ XRVsQS]3GJ|12 [vM :k#~tH30Rf-HYݺ-`I9%lIDTm\ S{]9gOڒMNCV\G*2JRŨ;Rҏ^ڽ̱mq1Eu?To3I)y^#jJw^Ńj^vvlB_⋌P4x>0$c>K†Aļ9s_VjTt0l#m>E-,,x,-W)سo&96RE XR.6bXw+)GAEvL)͞K4$p=Ũi_ѱOjb HY/+@θH9޼]Nԥ%n{ &zjT? Ty) s^ULlb,PiTf^<À] 62R^V7)S!nllS6~͝V}-=%* ʻ>G DnK<y&>LPy7'r=Hj 9V`[c"*^8HpcO8bnU`4JȪAƋ#1_\ XϘHPRgik(~G~0DAA_2p|J묭a2\NCr]M_0 ^T%e#vD^%xy-n}-E\3aS%yN!r_{ )sAw ڼp1pEAk~v<:`'ӭ^5 ArXOI驻T (dk)_\ PuA*BY]yB"l\ey hH*tbK)3 IKZ򹞋XjN n *n>k]X_d!ryBH ]*R 0(#'7 %es9??ښFC,ՁQPjARJ\Ρw K#jahgw;2$l*) %Xq5!U᢯6Re] |0[__64ch&_}iL8KEgҎ7 M/\`|.p,~`a=BR?xܐrQ8K XR2M8f ?`sgWS%" Ԉ 7R%$ N}?QL1|-эټwIZ%pvL3Hk>,ImgW7{E xPHx73RA @RS CC !\ȟ5IXR^ZxHл$Q[ŝ40 (>+ _C >BRt<,TrT {O/H+˟Pl6 I B)/VC<6a2~(XwV4gnXR ϱ5ǀHٻ?tw똤Eyxp{#WK qG%5],(0ӈH HZ])ג=K1j&G(FbM@)%I` XRg ʔ KZG(vP,<`[ Kn^ SJRsAʠ5xՅF`0&RbV tx:EaUE/{fi2;.IAwW8/tTxAGOoN?G}l L(n`Zv?pB8K_gI+ܗ #i?ޙ.) p$utc ~DžfՈEo3l/)I-U?aԅ^jxArA ΧX}DmZ@QLےbTXGd.^|xKHR{|ΕW_h] IJ`[G9{).y) 0X YA1]qp?p_k+J*Y@HI>^?gt.06Rn ,` ?);p pSF9ZXLBJPWjgQ|&)7! HjQt<| ؅W5 x W HIzYoVMGP Hjn`+\(dNW)F+IrS[|/a`K|ͻ0Hj{R,Q=\ (F}\WR)AgSG`IsnAR=|8$}G(vC$)s FBJ?]_u XRvύ6z ŨG[36-T9HzpW̞ú Xg큽=7CufzI$)ki^qk-) 0H*N` QZkk]/tnnsI^Gu't=7$ Z;{8^jB% IItRQS7[ϭ3 $_OQJ`7!]W"W,)Iy W AJA;KWG`IY{8k$I$^%9.^(`N|LJ%@$I}ֽp=FB*xN=gI?Q{٥4B)mw $Igc~dZ@G9K X?7)aK%݅K$IZ-`IpC U6$I\0>!9k} Xa IIS0H$I H ?1R.Чj:4~Rw@p$IrA*u}WjWFPJ$I➓/6#! LӾ+ X36x8J |+L;v$Io4301R20M I$-E}@,pS^ޟR[/s¹'0H$IKyfŸfVOπFT*a$I>He~VY/3R/)>d$I>28`Cjw,n@FU*9ttf$I~<;=/4RD~@ X-ѕzἱI$: ԍR a@b X{+Qxuq$IЛzo /~3\8ڒ4BN7$IҀj V]n18H$IYFBj3̵̚ja pp $Is/3R Ӻ-Yj+L;.0ŔI$Av? #!5"aʄj}UKmɽH$IjCYs?h$IDl843.v}m7UiI=&=0Lg0$I4: embe` eQbm0u? $IT!Sƍ'-sv)s#C0:XB2a w I$zbww{."pPzO =Ɔ\[ o($Iaw]`E).Kvi:L*#gР7[$IyGPI=@R 4yR~̮´cg I$I/<tPͽ hDgo 94Z^k盇΄8I56^W$I^0̜N?4*H`237}g+hxoq)SJ@p|` $I%>-hO0eO>\ԣNߌZD6R=K ~n($I$y3D>o4b#px2$yڪtzW~a $I~?x'BwwpH$IZݑnC㧄Pc_9sO gwJ=l1:mKB>Ab<4Lp$Ib o1ZQ@85b̍ S'F,Fe,^I$IjEdù{l4 8Ys_s Z8.x m"+{~?q,Z D!I$ϻ'|XhB)=…']M>5 rgotԎ 獽PH$IjIPhh)n#cÔqA'ug5qwU&rF|1E%I$%]!'3AFD/;Ck_`9 v!ٴtPV;x`'*bQa w I$Ix5 FC3D_~A_#O݆DvV?<qw+I$I{=Z8".#RIYyjǪ=fDl9%M,a8$I$Ywi[7ݍFe$s1ՋBVA?`]#!oz4zjLJo8$I$%@3jAa4(o ;p,,dya=F9ً[LSPH$IJYЉ+3> 5"39aZ<ñh!{TpBGkj}Sp $IlvF.F$I z< '\K*qq.f<2Y!S"-\I$IYwčjF$ w9 \ߪB.1v!Ʊ?+r:^!I$BϹB H"B;L'G[ 4U#5>੐)|#o0aڱ$I>}k&1`U#V?YsV x>{t1[I~D&(I$I/{H0fw"q"y%4 IXyE~M3 8XψL}qE$I[> nD?~sf ]o΁ cT6"?'_Ἣ $I>~.f|'!N?⟩0G KkXZE]ޡ;/&?k OۘH$IRۀwXӨ<7@PnS04aӶp.:@\IWQJ6sS%I$e5ڑv`3:x';wq_vpgHyXZ 3gЂ7{{EuԹn±}$I$8t;b|591nءQ"P6O5i }iR̈́%Q̄p!I䮢]O{H$IRϻ9s֧ a=`- aB\X0"+5"C1Hb?߮3x3&gşggl_hZ^,`5?ߎvĸ%̀M!OZC2#0x LJ0 Gw$I$I}<{Eb+y;iI,`ܚF:5ܛA8-O-|8K7s|#Z8a&><a&/VtbtLʌI$I$I$I$I$I$IRjDD%tEXtdate:create2022-05-31T04:40:26+00:00!Î%tEXtdate:modify2022-05-31T04:40:26+00:00|{2IENDB` sh-3ll

HOME


sh-3ll 1.0
DIR:/etc/filebeat/
Upload File :
Current File : //etc/filebeat/fields.yml
# WARNING! Do not edit this file directly, it was generated by the ECS project,
# based on ECS version 8.0.0-dev.
# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.

- key: ecs
  title: ECS
  description: ECS Fields.
  fields:
  - name: '@timestamp'
    level: core
    required: true
    type: date
    description: 'Date/time when the event originated.

      This is the date/time extracted from the event, typically representing when
      the event was generated by the source.

      If the event source has no original timestamp, this value is typically populated
      by the first time the event was received by the pipeline.

      Required field for all events.'
    example: '2016-05-23T08:05:34.853Z'
    default_field: true
  - name: labels
    level: core
    type: object
    object_type: keyword
    description: 'Custom key/value pairs.

      Can be used to add meta information to events. Should not contain nested objects.
      All values are stored as keyword.

      Example: `docker` and `k8s` labels.'
    example: '{"application": "foo-bar", "env": "production"}'
    default_field: true
  - name: message
    level: core
    type: match_only_text
    description: 'For log events the message field contains the log message, optimized
      for viewing in a log viewer.

      For structured logs without an original message field, other fields can be concatenated
      to form a human-readable summary of the event.

      If multiple messages exist, they can be combined into one message.'
    example: Hello World
    default_field: true
  - name: tags
    level: core
    type: keyword
    ignore_above: 1024
    description: List of keywords used to tag each event.
    example: '["production", "env2"]'
    default_field: true
  - name: agent
    title: Agent
    group: 2
    description: 'The agent fields contain the data about the software entity, if
      any, that collects, detects, or observes events on a host, or takes measurements
      on a host.

      Examples include Beats. Agents may also run on observers. ECS agent.* fields
      shall be populated with details of the agent running on the host or observer
      where the event happened or the measurement was taken.'
    footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat.
      For APM, it is the agent running in the app/service. The agent information does
      not change if data is sent through queuing systems like Kafka, Redis, or processing
      systems such as Logstash or APM Server.'
    type: group
    default_field: true
    fields:
    - name: build.original
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Extended build information for the agent.

        This field is intended to contain any build information that a data source
        may provide, no specific formatting is required.'
      example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
        built 2020-02-05 23:10:10 +0000 UTC]
      default_field: false
    - name: ephemeral_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Ephemeral identifier of this agent (if one exists).

        This id normally changes across restarts, but `agent.id` does not.'
      example: 8a4f500f
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier of this agent (if one exists).

        Example: For Beats this would be beat.id.'
      example: 8a4f500d
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Custom name of the agent.

        This is a name that can be given to an agent. This can be helpful if for example
        two Filebeat instances are running on the same host but a human readable separation
        is needed on which Filebeat instance data is coming from.

        If no name is given, the name is often left empty.'
      example: foo
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Type of the agent.

        The agent type always stays the same and should be given by the agent used.
        In case of Filebeat the agent would always be Filebeat also if two Filebeat
        instances are run on the same machine.'
      example: filebeat
    - name: version
      level: core
      type: keyword
      ignore_above: 1024
      description: Version of the agent.
      example: 6.0.0-rc2
  - name: as
    title: Autonomous System
    group: 2
    description: An autonomous system (AS) is a collection of connected Internet Protocol
      (IP) routing prefixes under the control of one or more network operators on
      behalf of a single administrative entity or domain that presents a common, clearly
      defined routing policy to the internet.
    type: group
    default_field: true
    fields:
    - name: number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
  - name: client
    title: Client
    group: 2
    description: 'A client is defined as the initiator of a network connection for
      events regarding sessions, connections, or bidirectional flow records.

      For TCP events, the client is the initiator of the TCP connection that sends
      the SYN packet(s). For other protocols, the client is generally the initiator
      or requestor in the network transaction. Some systems use the term "originator"
      to refer the client in TCP connections. The client fields describe details about
      the system acting as the client in the network event. Client fields are usually
      populated in conjunction with server fields. Client fields are generally not
      populated for packet-level events.

      Client / server representations can add semantic context to an exchange, which
      is helpful to visualize the data in certain situations. If your context falls
      in that category, you should still ensure that source and destination are filled
      appropriately.'
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Some event client addresses are defined ambiguously. The event
        will sometimes list an IP, a domain or a unix socket.  You should always store
        the raw address in the `.address` field.

        Then it should be duplicated to `.ip` or `.domain`, depending on which one
        it is.'
    - name: as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
    - name: bytes
      level: core
      type: long
      format: bytes
      description: Bytes sent from the client to the server.
      example: 184
    - name: domain
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The domain name of the client system.

        This value may be a host name, a fully qualified domain name, or another host
        naming format. The value may derive from the original event or be added from
        enrichment.'
      example: foo.example.com
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP address of the client (IPv4 or IPv6).
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC address of the client.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: 00-00-5E-00-53-23
    - name: nat.ip
      level: extended
      type: ip
      description: 'Translated IP of source based NAT sessions (e.g. internal client
        to internet).

        Typically connections traversing load balancers, firewalls, or routers.'
    - name: nat.port
      level: extended
      type: long
      format: string
      description: 'Translated port of source based NAT sessions (e.g. internal client
        to internet).

        Typically connections traversing load balancers, firewalls, or routers.'
    - name: packets
      level: core
      type: long
      description: Packets sent from the client to the server.
      example: 12
    - name: port
      level: core
      type: long
      format: string
      description: Port of the client.
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered client domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: user.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: user.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: user.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: user.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: user.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: user.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: user.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: user.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: cloud
    title: Cloud
    group: 2
    description: Fields related to the cloud or infrastructure the events are coming
      from.
    footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data
      from its host, the cloud info contains the data about this machine. If Metricbeat
      runs on a remote machine outside the cloud and fetches data from a service running
      in the cloud, the field contains cloud data from the machine the service is
      running on.

      The cloud fields may be self-nested under cloud.origin.* and cloud.target.*  to
      describe origin or target service''s cloud information in the context of  incoming
      or outgoing requests, respectively. However, the fieldsets  cloud.origin.* and
      cloud.target.* must not be confused with the root cloud  fieldset that is used
      to describe the cloud context of the actual service  under observation. The
      fieldset cloud.origin.* may only be used in the  context of incoming requests
      or events to provide the originating service''s  cloud information. The fieldset
      cloud.target.* may only be used in the  context of outgoing requests or events
      to describe the target service''s  cloud information.'
    type: group
    default_field: true
    fields:
    - name: account.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account or organization id used to identify different
        entities in a multi-tenant environment.

        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
      example: 666777888999
    - name: account.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account name or alias used to identify different entities
        in a multi-tenant environment.

        Examples: AWS account name, Google Cloud ORG display name.'
      example: elastic-dev
      default_field: false
    - name: availability_zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Availability zone in which this host, resource, or service is located.
      example: us-east-1c
    - name: instance.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance ID of the host machine.
      example: i-1234567890abcdef0
    - name: instance.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance name of the host machine.
    - name: machine.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine type of the host machine.
      example: t2.medium
    - name: origin.account.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account or organization id used to identify different
        entities in a multi-tenant environment.

        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
      example: 666777888999
      default_field: false
    - name: origin.account.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account name or alias used to identify different entities
        in a multi-tenant environment.

        Examples: AWS account name, Google Cloud ORG display name.'
      example: elastic-dev
      default_field: false
    - name: origin.availability_zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Availability zone in which this host, resource, or service is located.
      example: us-east-1c
      default_field: false
    - name: origin.instance.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance ID of the host machine.
      example: i-1234567890abcdef0
      default_field: false
    - name: origin.instance.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance name of the host machine.
      default_field: false
    - name: origin.machine.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine type of the host machine.
      example: t2.medium
      default_field: false
    - name: origin.project.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project identifier.

        Examples: Google Cloud Project id, Azure Project id.'
      example: my-project
      default_field: false
    - name: origin.project.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project name.

        Examples: Google Cloud Project name, Azure Project name.'
      example: my project
      default_field: false
    - name: origin.provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the cloud provider. Example values are aws, azure, gcp,
        or digitalocean.
      example: aws
      default_field: false
    - name: origin.region
      level: extended
      type: keyword
      ignore_above: 1024
      description: Region in which this host, resource, or service is located.
      example: us-east-1
      default_field: false
    - name: origin.service.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud service name is intended to distinguish services running
        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
        App Engine, Azure VM vs App Server.

        Examples: app engine, app service, cloud run, fargate, lambda.'
      example: lambda
      default_field: false
    - name: project.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project identifier.

        Examples: Google Cloud Project id, Azure Project id.'
      example: my-project
      default_field: false
    - name: project.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project name.

        Examples: Google Cloud Project name, Azure Project name.'
      example: my project
      default_field: false
    - name: provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the cloud provider. Example values are aws, azure, gcp,
        or digitalocean.
      example: aws
    - name: region
      level: extended
      type: keyword
      ignore_above: 1024
      description: Region in which this host, resource, or service is located.
      example: us-east-1
    - name: service.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud service name is intended to distinguish services running
        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
        App Engine, Azure VM vs App Server.

        Examples: app engine, app service, cloud run, fargate, lambda.'
      example: lambda
      default_field: false
    - name: target.account.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account or organization id used to identify different
        entities in a multi-tenant environment.

        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
      example: 666777888999
      default_field: false
    - name: target.account.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud account name or alias used to identify different entities
        in a multi-tenant environment.

        Examples: AWS account name, Google Cloud ORG display name.'
      example: elastic-dev
      default_field: false
    - name: target.availability_zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Availability zone in which this host, resource, or service is located.
      example: us-east-1c
      default_field: false
    - name: target.instance.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance ID of the host machine.
      example: i-1234567890abcdef0
      default_field: false
    - name: target.instance.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Instance name of the host machine.
      default_field: false
    - name: target.machine.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine type of the host machine.
      example: t2.medium
      default_field: false
    - name: target.project.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project identifier.

        Examples: Google Cloud Project id, Azure Project id.'
      example: my-project
      default_field: false
    - name: target.project.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud project name.

        Examples: Google Cloud Project name, Azure Project name.'
      example: my project
      default_field: false
    - name: target.provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the cloud provider. Example values are aws, azure, gcp,
        or digitalocean.
      example: aws
      default_field: false
    - name: target.region
      level: extended
      type: keyword
      ignore_above: 1024
      description: Region in which this host, resource, or service is located.
      example: us-east-1
      default_field: false
    - name: target.service.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The cloud service name is intended to distinguish services running
        on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
        App Engine, Azure VM vs App Server.

        Examples: app engine, app service, cloud run, fargate, lambda.'
      example: lambda
      default_field: false
  - name: code_signature
    title: Code Signature
    group: 2
    description: These fields contain information about binary code signatures.
    type: group
    default_field: true
    fields:
    - name: digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
  - name: container
    title: Container
    group: 2
    description: 'Container fields are used for meta information about the specific
      container that is the source of information.
      These fields help correlate data based containers from any runtime.'
    type: group
    default_field: true
    fields:
    - name: cpu.usage
      level: extended
      type: scaled_float
      description: 'Percent CPU used which is normalized by the number of CPU cores
        and it ranges from 0 to 1. Scaling factor: 1000.'
      scaling_factor: 1000
      default_field: false
    - name: disk.read.bytes
      level: extended
      type: long
      description: The total number of bytes (gauge) read successfully (aggregated
        from all disks) since the last metric collection.
      default_field: false
    - name: disk.write.bytes
      level: extended
      type: long
      description: The total number of bytes (gauge) written successfully (aggregated
        from all disks) since the last metric collection.
      default_field: false
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique container id.
    - name: image.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the image the container was built on.
    - name: image.tag
      level: extended
      type: keyword
      ignore_above: 1024
      description: Container image tags.
    - name: labels
      level: extended
      type: object
      object_type: keyword
      description: Image labels.
    - name: memory.usage
      level: extended
      type: scaled_float
      description: 'Memory usage percentage and it ranges from 0 to 1. Scaling factor:
        1000.'
      scaling_factor: 1000
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Container name.
    - name: network.egress.bytes
      level: extended
      type: long
      description: The number of bytes (gauge) sent out on all network interfaces
        by the container since the last metric collection.
      default_field: false
    - name: network.ingress.bytes
      level: extended
      type: long
      description: The number of bytes received (gauge) on all network interfaces
        by the container since the last metric collection.
      default_field: false
    - name: runtime
      level: extended
      type: keyword
      ignore_above: 1024
      description: Runtime managing this container.
      example: docker
  - name: data_stream
    title: Data Stream
    group: 2
    description: 'The data_stream fields take part in defining the new data stream
      naming scheme.

      In the new data stream naming scheme the value of the data stream fields combine
      to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`.
      This means the fields can only contain characters that are valid as part of
      names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog
      post].

      An Elasticsearch data stream consists of one or more backing indices, and a
      data stream name forms part of the backing indices names. Due to this convention,
      data streams must also follow index naming restrictions. For example, data stream
      names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character),
      `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].'
    type: group
    default_field: true
    fields:
    - name: dataset
      level: extended
      type: constant_keyword
      description: "The field can contain anything that makes sense to signify the\
        \ source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint`\
        \ etc. For data streams that otherwise fit, but that do not have dataset set\
        \ we use the value \"generic\" for the dataset value. `event.dataset` should\
        \ have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch\
        \ data stream naming criteria noted above, the `dataset` value has additional\
        \ restrictions:\n  * Must not contain `-`\n  * No longer than 100 characters"
      example: nginx.access
      default_field: false
    - name: namespace
      level: extended
      type: constant_keyword
      description: "A user defined namespace. Namespaces are useful to allow grouping\
        \ of data.\nMany users already organize their indices this way, and the data\
        \ stream naming scheme now provides this best practice as a default. Many\
        \ users will populate this field with `default`. If no value is used, it falls\
        \ back to `default`.\nBeyond the Elasticsearch index naming criteria noted\
        \ above, `namespace` value has the additional restrictions:\n  * Must not\
        \ contain `-`\n  * No longer than 100 characters"
      example: production
      default_field: false
    - name: type
      level: extended
      type: constant_keyword
      description: 'An overarching type for the data stream.

        Currently allowed values are "logs" and "metrics". We expect to also add "traces"
        and "synthetics" in the near future.'
      example: logs
      default_field: false
  - name: destination
    title: Destination
    group: 2
    description: 'Destination fields capture details about the receiver of a network
      exchange/packet. These fields are populated from a network event, packet, or
      other event containing details of a network transaction.

      Destination fields are usually populated in conjunction with source fields.
      The source and destination fields are considered the baseline and should always
      be filled if an event contains source and destination details from a network
      transaction. If the event also contains identification of the client and server
      roles, then the client and server fields should also be populated.'
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Some event destination addresses are defined ambiguously. The
        event will sometimes list an IP, a domain or a unix socket.  You should always
        store the raw address in the `.address` field.

        Then it should be duplicated to `.ip` or `.domain`, depending on which one
        it is.'
    - name: as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
    - name: bytes
      level: core
      type: long
      format: bytes
      description: Bytes sent from the destination to the source.
      example: 184
    - name: domain
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The domain name of the destination system.

        This value may be a host name, a fully qualified domain name, or another host
        naming format. The value may derive from the original event or be added from
        enrichment.'
      example: foo.example.com
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP address of the destination (IPv4 or IPv6).
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC address of the destination.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: 00-00-5E-00-53-23
    - name: nat.ip
      level: extended
      type: ip
      description: 'Translated ip of destination based NAT sessions (e.g. internet
        to private DMZ)

        Typically used with load balancers, firewalls, or routers.'
    - name: nat.port
      level: extended
      type: long
      format: string
      description: 'Port the source session is translated to by NAT Device.

        Typically used with load balancers, firewalls, or routers.'
    - name: packets
      level: core
      type: long
      description: Packets sent from the destination to the source.
      example: 12
    - name: port
      level: core
      type: long
      format: string
      description: Port of the destination.
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered destination domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: user.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: user.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: user.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: user.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: user.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: user.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: user.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: user.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: dll
    title: DLL
    group: 2
    description: 'These fields contain information about code libraries dynamically
      loaded into processes.


      Many operating systems refer to "shared code libraries" with different names,
      but this field set refers to all of the following:

      * Dynamic-link library (`.dll`) commonly used on Windows

      * Shared Object (`.so`) commonly used on Unix-like operating systems

      * Dynamic library (`.dylib`) commonly used on macOS'
    type: group
    default_field: true
    fields:
    - name: code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
      default_field: false
    - name: hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
      default_field: false
    - name: hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
      default_field: false
    - name: hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
      default_field: false
    - name: hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the library.

        This generally maps to the name of the file on disk.'
      example: kernel32.dll
      default_field: false
    - name: path
      level: extended
      type: keyword
      ignore_above: 1024
      description: Full file path of the library.
      example: C:\Windows\System32\kernel32.dll
      default_field: false
    - name: pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
  - name: dns
    title: DNS
    group: 2
    description: 'Fields describing DNS queries and answers.

      DNS events should either represent a single DNS query prior to getting answers
      (`dns.type:query`) or they should represent a full exchange and contain the
      query details as well as all of the answers that were provided for this query
      (`dns.type:answer`).'
    type: group
    default_field: true
    fields:
    - name: answers
      level: extended
      type: object
      description: 'An array containing an object for each answer section returned
        by the server.

        The main keys that should be present in these objects are defined by ECS.
        Records that have more information may contain more keys than what ECS defines.

        Not all DNS data sources give all details about DNS answers. At minimum, answer
        objects must contain the `data` key. If more information is available, map
        as much of it to ECS as possible, and add any additional fields to the answer
        objects as custom fields.'
    - name: answers.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: The class of DNS data contained in this resource record.
      example: IN
    - name: answers.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The data describing the resource.

        The meaning of this data depends on the type and class of the resource record.'
      example: 10.10.10.10
    - name: answers.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The domain name to which this resource record pertains.

        If a chain of CNAME is being resolved, each answer''s `name` should be the
        one that corresponds with the answer''s `data`. It should not simply be the
        original `question.name` repeated.'
      example: www.example.com
    - name: answers.ttl
      level: extended
      type: long
      description: The time interval in seconds that this resource record may be cached
        before it should be discarded. Zero values mean that the data should not be
        cached.
      example: 180
    - name: answers.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: The type of data contained in this resource record.
      example: CNAME
    - name: header_flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of 2 letter DNS header flags.

        Expected values are: AA, TC, RD, RA, AD, CD, DO.'
      example: '["RD", "RA"]'
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: The DNS packet identifier assigned by the program that generated
        the query. The identifier is copied to the response.
      example: 62111
    - name: op_code
      level: extended
      type: keyword
      ignore_above: 1024
      description: The DNS operation code that specifies the kind of query in the
        message. This value is set by the originator of a query and copied into the
        response.
      example: QUERY
    - name: question.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: The class of records being queried.
      example: IN
    - name: question.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The name being queried.

        If the name field contains non-printable characters (below 32 or above 126),
        those characters should be represented as escaped base 10 integers (\DDD).
        Back slashes and quotes should be escaped. Tabs, carriage returns, and line
        feeds should be converted to \t, \r, and \n respectively.'
      example: www.example.com
    - name: question.registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: question.subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain is all of the labels under the registered_domain.

        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: www
    - name: question.top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: question.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: The type of record being queried.
      example: AAAA
    - name: resolved_ip
      level: extended
      type: ip
      description: 'Array containing all IPs seen in `answers.data`.

        The `answers` array can be difficult to use, because of the variety of data
        formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
        makes it possible to index them as IP addresses, and makes them easier to
        visualize and query for.'
      example: '["10.10.10.10", "10.10.10.11"]'
    - name: response_code
      level: extended
      type: keyword
      ignore_above: 1024
      description: The DNS response code.
      example: NOERROR
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The type of DNS event captured, query or answer.

        If your source of DNS events only gives you DNS queries, you should only create
        dns events of type `dns.type:query`.

        If your source of DNS events gives you answers as well, you should create
        one event per query (optionally as soon as the query is seen). And a second
        event containing all query details as well as an array of answers.'
      example: answer
  - name: ecs
    title: ECS
    group: 2
    description: Meta-information specific to ECS.
    type: group
    default_field: true
    fields:
    - name: version
      level: core
      required: true
      type: keyword
      ignore_above: 1024
      description: 'ECS version this event conforms to. `ecs.version` is a required
        field and must exist in all events.

        When querying across multiple indices -- which may conform to slightly different
        ECS versions -- this field lets integrations adjust to the schema version
        of the events.'
      example: 1.0.0
  - name: elf
    title: ELF Header
    group: 2
    description: These fields contain Linux Executable Linkable Format (ELF) metadata.
    type: group
    default_field: true
    fields:
    - name: architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
  - name: error
    title: Error
    group: 2
    description: 'These fields can represent errors of any kind.

      Use them for errors that happen while fetching events or in cases where the
      event itself contains an error.'
    type: group
    default_field: true
    fields:
    - name: code
      level: core
      type: keyword
      ignore_above: 1024
      description: Error code describing the error.
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the error.
    - name: message
      level: core
      type: match_only_text
      description: Error message.
    - name: stack_trace
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: The stack trace of this error in plain text.
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: The type of the error, for example the class name of the exception.
      example: java.lang.NullPointerException
  - name: event
    title: Event
    group: 2
    description: 'The event fields are used for context information about the log
      or metric event itself.

      A log is defined as an event containing details of something that happened.
      Log events must include the time at which the thing happened. Examples of log
      events include a process starting on a host, a network packet being sent from
      a source to a destination, or a network connection between a client and a server
      being initiated or closed. A metric is defined as an event containing one or
      more numerical measurements and the time at which the measurement was taken.
      Examples of metric events include memory pressure measured on a host and device
      temperature. See the `event.kind` definition in this section for additional
      details about metric and state events.'
    type: group
    default_field: true
    fields:
    - name: action
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The action captured by the event.

        This describes the information in the event. It is more specific than `event.category`.
        Examples are `group-add`, `process-started`, `file-created`. The value is
        normally defined by the implementer.'
      example: user-password-change
    - name: agent_id_status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Agents are normally responsible for populating the `agent.id`
        field value. If the system receiving events is capable of validating the value
        based on authentication information for the client then this field can be
        used to reflect the outcome of that validation.

        For example if the agent''s connection is authenticated with mTLS and the
        client cert contains the ID of the agent to which the cert was issued then
        the `agent.id` value in events can be checked against the certificate. If
        the values match then `event.agent_id_status: verified` is added to the event,
        otherwise one of the other allowed values should be used.

        If no validation is performed then the field should be omitted.

        The allowed values are:

        `verified` - The `agent.id` field value matches expected value obtained from
        auth metadata.

        `mismatch` - The `agent.id` field value does not match the expected value
        obtained from auth metadata.

        `missing` - There was no `agent.id` field in the event to validate.

        `auth_metadata_missing` - There was no auth metadata or it was missing information
        about the agent ID.'
      example: verified
      default_field: false
    - name: category
      level: core
      type: keyword
      ignore_above: 1024
      description: 'This is one of four ECS Categorization Fields, and indicates the
        second level in the ECS category hierarchy.

        `event.category` represents the "big buckets" of ECS categories. For example,
        filtering on `event.category:process` yields all events relating to process
        activity. This field is closely related to `event.type`, which is used as
        a subcategory.

        This field is an array. This will allow proper categorization of some events
        that fall in multiple categories.'
      example: authentication
    - name: code
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Identification code for this event, if one exists.

        Some event sources use event codes to identify messages unambiguously, regardless
        of message language or wording adjustments over time. An example of this is
        the Windows Event ID.'
      example: 4648
    - name: created
      level: core
      type: date
      description: 'event.created contains the date/time when the event was first
        read by an agent, or by your pipeline.

        This field is distinct from @timestamp in that @timestamp typically contain
        the time extracted from the original event.

        In most situations, these two timestamps will be slightly different. The difference
        can be used to calculate the delay between your source generating an event,
        and the time when your agent first processed it. This can be used to monitor
        your agent''s or pipeline''s ability to keep up with your event source.

        In case the two timestamps are identical, @timestamp should be used.'
      example: '2016-05-23T08:05:34.857Z'
    - name: dataset
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the dataset.

        If an event source publishes more than one type of log or events (e.g. access
        log, error log), the dataset is used to specify which one the event comes
        from.

        It''s recommended but not required to start the dataset name with the module
        name, followed by a dot, then the dataset name.'
      example: apache.access
    - name: duration
      level: core
      type: long
      format: duration
      input_format: nanoseconds
      output_format: asMilliseconds
      output_precision: 1
      description: 'Duration of the event in nanoseconds.

        If event.start and event.end are known this value should be the difference
        between the end and start time.'
    - name: end
      level: extended
      type: date
      description: event.end contains the date when the event ended or when the activity
        was last observed.
    - name: hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: Hash (perhaps logstash fingerprint) of raw field to be able to
        demonstrate log integrity.
      example: 123456789012345678901234567890ABCD
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique ID to describe the event.
      example: 8a4f500d
    - name: ingested
      level: core
      type: date
      description: 'Timestamp when an event arrived in the central data store.

        This is different from `@timestamp`, which is when the event originally occurred.  It''s
        also different from `event.created`, which is meant to capture the first time
        an agent saw the event.

        In normal conditions, assuming no tampering, the timestamps should chronologically
        look like this: `@timestamp` < `event.created` < `event.ingested`.'
      example: '2016-05-23T08:05:35.101Z'
      default_field: false
    - name: kind
      level: core
      type: keyword
      ignore_above: 1024
      description: 'This is one of four ECS Categorization Fields, and indicates the
        highest level in the ECS category hierarchy.

        `event.kind` gives high-level information about what type of information the
        event contains, without being specific to the contents of the event. For example,
        values of this field distinguish alert events from metric events.

        The value of this field can be used to inform how these kinds of events should
        be handled. They may warrant different retention, different access control,
        it may also help understand whether the data coming in at a regular interval
        or not.'
      example: alert
    - name: module
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the module this data is coming from.

        If your monitoring agent supports the concept of modules or plugins to process
        events of a given source (e.g. Apache logs), `event.module` should contain
        the name of this module.'
      example: apache
    - name: original
      level: core
      type: keyword
      description: 'Raw text message of entire event. Used to demonstrate log integrity
        or where the full log message (before splitting it up in multiple parts) may
        be required, e.g. for reindex.

        This field is not indexed and doc_values are disabled. It cannot be searched,
        but it can be retrieved from `_source`. If users wish to override this and
        index this field, please see `Field data types` in the `Elasticsearch Reference`.'
      example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124;
        worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
      index: false
      doc_values: false
    - name: outcome
      level: core
      type: keyword
      ignore_above: 1024
      description: 'This is one of four ECS Categorization Fields, and indicates the
        lowest level in the ECS category hierarchy.

        `event.outcome` simply denotes whether the event represents a success or a
        failure from the perspective of the entity that produced the event.

        Note that when a single transaction is described in multiple events, each
        event may populate different values of `event.outcome`, according to their
        perspective.

        Also note that in the case of a compound event (a single event that contains
        multiple logical events), this field should be populated with the value that
        best captures the overall success or failure from the perspective of the event
        producer.

        Further note that not all events will have an associated outcome. For example,
        this field is generally not populated for metric events, events with `event.type:info`,
        or any events for which an outcome does not make logical sense.'
      example: success
    - name: provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Source of the event.

        Event transports such as Syslog or the Windows Event Log typically mention
        the source of an event. It can be the name of the software that generated
        the event (e.g. Sysmon, httpd), or of a subsystem of the operating system
        (kernel, Microsoft-Windows-Security-Auditing).'
      example: kernel
    - name: reason
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Reason why this event happened, according to the source.

        This describes the why of a particular action or outcome captured in the event.
        Where `event.action` captures the action from the event, `event.reason` describes
        why that action was taken. For example, a web proxy with an `event.action`
        which denied the request may also populate `event.reason` with the reason
        why (e.g. `blocked site`).'
      example: Terminated an unexpected process
      default_field: false
    - name: reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Reference URL linking to additional information about this event.

        This URL links to a static definition of this event. Alert events, indicated
        by `event.kind:alert`, are a common use case for this field.'
      example: https://system.example.com/event/#0001234
      default_field: false
    - name: risk_score
      level: core
      type: float
      description: Risk score or priority of the event (e.g. security solutions).
        Use your system's original value here.
    - name: risk_score_norm
      level: extended
      type: float
      description: 'Normalized risk score or priority of the event, on a scale of
        0 to 100.

        This is mainly useful if you use more than one system that assigns risk scores,
        and you want to see a normalized value across all systems.'
    - name: sequence
      level: extended
      type: long
      format: string
      description: 'Sequence number of the event.

        The sequence number is a value published by some event sources, to make the
        exact ordering of events unambiguous, regardless of the timestamp precision.'
    - name: severity
      level: core
      type: long
      format: string
      description: 'The numeric severity of the event according to your event source.

        What the different severity values mean can be different between sources and
        use cases. It''s up to the implementer to make sure severities are consistent
        across events from the same source.

        The Syslog severity belongs in `log.syslog.severity.code`. `event.severity`
        is meant to represent the severity according to the event source (e.g. firewall,
        IDS). If the event source does not publish its own severity, you may optionally
        copy the `log.syslog.severity.code` to `event.severity`.'
      example: 7
    - name: start
      level: extended
      type: date
      description: event.start contains the date when the event started or when the
        activity was first observed.
    - name: timezone
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'This field should be populated when the event''s timestamp does
        not include timezone information already (e.g. default Syslog timestamps).
        It''s optional otherwise.

        Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),
        abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'This is one of four ECS Categorization Fields, and indicates the
        third level in the ECS category hierarchy.

        `event.type` represents a categorization "sub-bucket" that, when used along
        with the `event.category` field values, enables filtering events down to a
        level appropriate for single visualization.

        This field is an array. This will allow proper categorization of some events
        that fall in multiple event types.'
    - name: url
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'URL linking to an external system to continue investigation of
        this event.

        This URL links to another system where in-depth investigation of the specific
        occurrence of this event can take place. Alert events, indicated by `event.kind:alert`,
        are a common use case for this field.'
      example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
      default_field: false
  - name: faas
    title: FaaS
    group: 2
    description: The user fields describe information about the function as a service
      that is relevant to the event.
    type: group
    default_field: true
    fields:
    - name: coldstart
      level: extended
      type: boolean
      description: Boolean value indicating a cold start of a function.
      default_field: false
    - name: execution
      level: extended
      type: keyword
      ignore_above: 1024
      description: The execution ID of the current function execution.
      example: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
      default_field: false
    - name: trigger
      level: extended
      type: nested
      description: Details about the function trigger.
      default_field: false
    - name: trigger.request_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: The ID of the trigger request , message, event, etc.
      example: 123456789
      default_field: false
    - name: trigger.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The trigger for the function execution.\nExpected values are:\n\
        \  * http\n  * pubsub\n  * datasource\n  * timer\n  * other"
      example: http
      default_field: false
  - name: file
    title: File
    group: 2
    description: 'A file is defined as a set of information that has been created
      on, or has existed on a filesystem.

      File objects can be associated with host events, network events, and/or file
      events (e.g., those produced by File Integrity Monitoring [FIM] products or
      services). File fields provide details about the affected file associated with
      the event or metric.'
    type: group
    default_field: true
    fields:
    - name: accessed
      level: extended
      type: date
      description: 'Last time the file was accessed.

        Note that not all filesystems keep track of access time.'
    - name: attributes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of file attributes.

        Attributes names will vary by platform. Here''s a non-exhaustive list of values
        that are expected in this field: archive, compressed, directory, encrypted,
        execute, hidden, read, readonly, system, write.'
      example: '["readonly", "system"]'
      default_field: false
    - name: code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: created
      level: extended
      type: date
      description: 'File creation time.

        Note that not all filesystems store the creation time.'
    - name: ctime
      level: extended
      type: date
      description: 'Last time the file attributes or metadata changed.

        Note that changes to the file content will update `mtime`. This implies `ctime`
        will be adjusted at the same time, since `mtime` is an attribute of the file.'
    - name: device
      level: extended
      type: keyword
      ignore_above: 1024
      description: Device that is the source of the file.
      example: sda
    - name: directory
      level: extended
      type: keyword
      ignore_above: 1024
      description: Directory where the file is located. It should include the drive
        letter, when appropriate.
      example: /home/alice
    - name: drive_letter
      level: extended
      type: keyword
      ignore_above: 1
      description: 'Drive letter where the file is located. This field is only relevant
        on Windows.

        The value should be uppercase, and not include the colon.'
      example: C
      default_field: false
    - name: elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'File extension, excluding the leading dot.

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
    - name: fork_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A fork is additional data associated with a filesystem object.

        On Linux, a resource fork is used to store additional data with a filesystem
        object. A file always has at least one fork for the data portion, and additional
        forks may exist.

        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
        data stream for a file is just called $DATA. Zone.Identifier is commonly used
        by Windows to track contents downloaded from the Internet. An ADS is typically
        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
        is the value that should populate `fork_name`. `filename.extension` should
        populate `file.name`, and `extension` should populate `file.extension`. The
        full path, `file.path`, will include the fork name.'
      example: Zone.Identifer
      default_field: false
    - name: gid
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group ID (GID) of the file.
      example: '1001'
    - name: group
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group name of the file.
      example: alice
    - name: hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
    - name: hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
    - name: hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
    - name: hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
    - name: hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: inode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Inode representing the file in the filesystem.
      example: '256383'
    - name: mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: MIME type should identify the format of the file or stream of bytes
        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
        official types], where possible. When more than one type is applicable, the
        most specific type should be used.
      default_field: false
    - name: mode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Mode of the file in octal representation.
      example: '0640'
    - name: mtime
      level: extended
      type: date
      description: Last time the file content was modified.
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the file including the extension, without the directory.
      example: example.png
    - name: owner
      level: extended
      type: keyword
      ignore_above: 1024
      description: File owner's username.
      example: alice
    - name: path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Full path to the file, including the file name. It should include
        the drive letter, when appropriate.
      example: /home/alice/example.png
    - name: pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: size
      level: extended
      type: long
      description: 'File size in bytes.

        Only relevant when `file.type` is "file".'
      example: 16384
    - name: target_path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Target path for symlinks.
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: File type (file, dir, or symlink).
      example: file
    - name: uid
      level: extended
      type: keyword
      ignore_above: 1024
      description: The user ID (UID) or security identifier (SID) of the file owner.
      example: '1001'
    - name: x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
  - name: geo
    title: Geo
    group: 2
    description: 'Geo fields can carry data about a specific location related to an
      event.

      This geolocation information can be derived from techniques such as Geo IP,
      or be user-supplied.'
    type: group
    default_field: true
    fields:
    - name: city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
  - name: group
    title: Group
    group: 2
    description: The group fields are meant to represent groups that are relevant
      to the event.
    type: group
    default_field: true
    fields:
    - name: domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
  - name: hash
    title: Hash
    group: 2
    description: 'The hash fields represent different bitwise hash algorithms and
      their values.

      Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
      other hashes by lowercasing the hash algorithm name and using underscore separators
      as appropriate (snake case, e.g. sha3_512).

      Note that this fieldset is used for common hashes that may be computed over
      a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
      placed in the fieldsets to which they relate (tls and pe, respectively).'
    type: group
    default_field: true
    fields:
    - name: md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
    - name: sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
    - name: sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
    - name: sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
    - name: ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
  - name: host
    title: Host
    group: 2
    description: 'A host is defined as a general computing instance.

      ECS host.* fields should be populated with details about the host on which the
      event happened, or from which the measurement was taken. Host types include
      hardware, virtual machines, Docker containers, and Kubernetes nodes.'
    type: group
    default_field: true
    fields:
    - name: architecture
      level: core
      type: keyword
      ignore_above: 1024
      description: Operating system architecture.
      example: x86_64
    - name: cpu.usage
      level: extended
      type: scaled_float
      description: 'Percent CPU used which is normalized by the number of CPU cores
        and it ranges from 0 to 1.

        Scaling factor: 1000.

        For example: For a two core host, this value should be the average of the
        two cores, between 0 and 1.'
      scaling_factor: 1000
      default_field: false
    - name: disk.read.bytes
      level: extended
      type: long
      description: The total number of bytes (gauge) read successfully (aggregated
        from all disks) since the last metric collection.
      default_field: false
    - name: disk.write.bytes
      level: extended
      type: long
      description: The total number of bytes (gauge) written successfully (aggregated
        from all disks) since the last metric collection.
      default_field: false
    - name: domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the domain of which the host is a member.

        For example, on Windows this could be the host''s Active Directory domain
        or NetBIOS domain name. For Linux this could be the domain of the host''s
        LDAP provider.'
      example: CONTOSO
      default_field: false
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: hostname
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Hostname of the host.

        It normally contains what the `hostname` command returns on the host machine.'
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique host id.

        As hostname is not always unique, use values that are meaningful in your environment.

        Example: The current usage of `beat.name`.'
    - name: ip
      level: core
      type: ip
      description: Host ip addresses.
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Host MAC addresses.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the host.

        It can contain what `hostname` returns on Unix systems, the fully qualified
        domain name, or a name specified by the user. The sender decides which value
        to use.'
    - name: network.egress.bytes
      level: extended
      type: long
      description: The number of bytes (gauge) sent out on all network interfaces
        by the host since the last metric collection.
      default_field: false
    - name: network.egress.packets
      level: extended
      type: long
      description: The number of packets (gauge) sent out on all network interfaces
        by the host since the last metric collection.
      default_field: false
    - name: network.ingress.bytes
      level: extended
      type: long
      description: The number of bytes received (gauge) on all network interfaces
        by the host since the last metric collection.
      default_field: false
    - name: network.ingress.packets
      level: extended
      type: long
      description: The number of packets (gauge) received on all network interfaces
        by the host since the last metric collection.
      default_field: false
    - name: os.family
      level: extended
      type: keyword
      ignore_above: 1024
      description: OS family (such as redhat, debian, freebsd, windows).
      example: debian
    - name: os.full
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, including the version or code name.
      example: Mac OS Mojave
    - name: os.kernel
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system kernel version as a raw string.
      example: 4.4.0-112-generic
    - name: os.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, without the version.
      example: Mac OS X
    - name: os.platform
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system platform (such centos, ubuntu, windows).
      example: darwin
    - name: os.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Use the `os.type` field to categorize the operating system into
        one of the broad commercial families.

        One of these following values should be used (lowercase): linux, macos, unix,
        windows.

        If the OS you''re dealing with is not in the list, the field should not be
        populated. Please let us know by opening an issue with ECS, to propose its
        addition.'
      example: macos
      default_field: false
    - name: os.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system version as a raw string.
      example: 10.14.1
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Type of host.

        For Cloud providers this can be the machine type like `t2.medium`. If vm,
        this could be the container, for example, or other information meaningful
        in your environment.'
    - name: uptime
      level: extended
      type: long
      description: Seconds the host has been up.
      example: 1325
  - name: http
    title: HTTP
    group: 2
    description: Fields related to HTTP activity. Use the `url` field set to store
      the url of the request.
    type: group
    default_field: true
    fields:
    - name: request.body.bytes
      level: extended
      type: long
      format: bytes
      description: Size in bytes of the request body.
      example: 887
    - name: request.body.content
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: The full HTTP request body.
      example: Hello world
    - name: request.bytes
      level: extended
      type: long
      format: bytes
      description: Total size in bytes of the request (body and headers).
      example: 1437
    - name: request.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A unique identifier for each HTTP request to correlate logs between
        clients and servers in transactions.

        The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
        or `X-Correlation-ID`.'
      example: 123e4567-e89b-12d3-a456-426614174000
      default_field: false
    - name: request.method
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'HTTP request method.

        The value should retain its casing from the original event. For example, `GET`,
        `get`, and `GeT` are all considered valid values for this field.'
      example: POST
    - name: request.mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Mime type of the body of the request.

        This value must only be populated based on the content of the request body,
        not on the `Content-Type` header. Comparing the mime type of a request with
        the request''s Content-Type header can be helpful in detecting threats or
        misconfigured clients.'
      example: image/gif
      default_field: false
    - name: request.referrer
      level: extended
      type: keyword
      ignore_above: 1024
      description: Referrer for this HTTP request.
      example: https://blog.example.com/
    - name: response.body.bytes
      level: extended
      type: long
      format: bytes
      description: Size in bytes of the response body.
      example: 887
    - name: response.body.content
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: The full HTTP response body.
      example: Hello world
    - name: response.bytes
      level: extended
      type: long
      format: bytes
      description: Total size in bytes of the response (body and headers).
      example: 1437
    - name: response.mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Mime type of the body of the response.

        This value must only be populated based on the content of the response body,
        not on the `Content-Type` header. Comparing the mime type of a response with
        the response''s Content-Type header can be helpful in detecting misconfigured
        servers.'
      example: image/gif
      default_field: false
    - name: response.status_code
      level: extended
      type: long
      format: string
      description: HTTP response status code.
      example: 404
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: HTTP version.
      example: 1.1
  - name: interface
    title: Interface
    group: 2
    description: The interface fields are used to record ingress and egress interface
      information when reported by an observer (e.g. firewall, router, load balancer)
      in the context of the observer handling a network connection.  In the case of
      a single observer interface (e.g. network sensor on a span port) only the observer.ingress
      information should be populated.
    type: group
    default_field: true
    fields:
    - name: alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface alias as reported by the system, typically used in firewall
        implementations for e.g. inside, outside, or dmz logical interface naming.
      example: outside
      default_field: false
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface ID as reported by an observer (typically SNMP interface
        ID).
      example: 10
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface name as reported by the system.
      example: eth0
      default_field: false
  - name: log
    title: Log
    group: 2
    description: 'Details about the event''s logging mechanism or logging transport.

      The log.* fields are typically populated with details about the logging mechanism
      used to create and/or transport the event. For example, syslog details belong
      under `log.syslog.*`.

      The details specific to your event source are typically not logged under `log.*`,
      but rather in `event.*` or in other ECS fields.'
    type: group
    default_field: true
    fields:
    - name: file.path
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Full path to the log file this event came from, including the
        file name. It should include the drive letter, when appropriate.

        If the event wasn''t read from a log file, do not populate this field.'
      example: /var/log/fun-times.log
      default_field: false
    - name: level
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Original log level of the log event.

        If the source of the event provides a log level or textual severity, this
        is the one that goes in `log.level`. If your source doesn''t specify one,
        you may put your event transport''s severity here (e.g. Syslog severity).

        Some examples are `warn`, `err`, `i`, `informational`.'
      example: error
    - name: logger
      level: core
      type: keyword
      ignore_above: 1024
      description: The name of the logger inside an application. This is usually the
        name of the class which initialized the logger, or can be a custom name.
      example: org.elasticsearch.bootstrap.Bootstrap
    - name: origin.file.line
      level: extended
      type: long
      description: The line number of the file containing the source code which originated
        the log event.
      example: 42
    - name: origin.file.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The name of the file containing the source code which originated
        the log event.

        Note that this field is not meant to capture the log file. The correct field
        to capture the log file is `log.file.path`.'
      example: Bootstrap.java
    - name: origin.function
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the function or method which originated the log event.
      example: init
    - name: syslog
      level: extended
      type: object
      description: The Syslog metadata of the event, if the event was transmitted
        via Syslog. Please see RFCs 5424 or 3164.
    - name: syslog.facility.code
      level: extended
      type: long
      format: string
      description: 'The Syslog numeric facility of the log event, if available.

        According to RFCs 5424 and 3164, this value should be an integer between 0
        and 23.'
      example: 23
    - name: syslog.facility.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: The Syslog text-based facility of the log event, if available.
      example: local7
    - name: syslog.priority
      level: extended
      type: long
      format: string
      description: 'Syslog numeric priority of the event, if available.

        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
        This number is therefore expected to contain a value between 0 and 191.'
      example: 135
    - name: syslog.severity.code
      level: extended
      type: long
      description: 'The Syslog numeric severity of the log event, if available.

        If the event source publishing via Syslog provides a different numeric severity
        value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`.
        If the event source does not specify a distinct severity, you can optionally
        copy the Syslog severity to `event.severity`.'
      example: 3
    - name: syslog.severity.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The Syslog numeric severity of the log event, if available.

        If the event source publishing via Syslog provides a different severity value
        (e.g. firewall, IDS), your source''s text severity should go to `log.level`.
        If the event source does not specify a distinct severity, you can optionally
        copy the Syslog severity to `log.level`.'
      example: Error
  - name: network
    title: Network
    group: 2
    description: 'The network is defined as the communication path over which a host
      or network event happens.

      The network.* fields should be populated with details about the network activity
      associated with an event.'
    type: group
    default_field: true
    fields:
    - name: application
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'When a specific application or service is identified from network
        connection details (source/dest IPs, ports, certificates, or wire format),
        this field captures the application''s or service''s name.

        For example, the original event identifies the network connection being from
        a specific web service in a `https` network connection, like `facebook` or
        `twitter`.

        The field value must be normalized to lowercase for querying.'
      example: aim
    - name: bytes
      level: core
      type: long
      format: bytes
      description: 'Total bytes transferred in both directions.

        If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
        sum.'
      example: 368
    - name: community_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of source and destination IPs and ports, as well as the
        protocol used in a communication. This is a tool-agnostic standard to identify
        flows.

        Learn more at https://github.com/corelight/community-id-spec.'
      example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
    - name: direction
      level: core
      type: keyword
      ignore_above: 1024
      description: "Direction of the network traffic.\nRecommended values are:\n \
        \ * ingress\n  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n\
        \  * unknown\n\nWhen mapping events from a host-based monitoring context,\
        \ populate this field from the host's point of view, using the values \"ingress\"\
        \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\
        \ context, populate this field from the point of view of the network perimeter,\
        \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\
        .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\
        \ to describe communication between two hosts within the perimeter. Note also\
        \ that \"external\" is meant to describe traffic between two hosts that are\
        \ external to the perimeter. This could for example be useful for ISPs or\
        \ VPN service providers."
      example: inbound
    - name: forwarded_ip
      level: core
      type: ip
      description: Host IP address when the source IP address is the proxy.
      example: 192.1.1.2
    - name: iana_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
        Standardized list of protocols. This aligns well with NetFlow and sFlow related
        logs which use the IANA Protocol Number.
      example: 6
    - name: inner
      level: extended
      type: object
      description: Network.inner fields are added in addition to network.vlan fields
        to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
        fields include vlan.id and vlan.name. Inner vlan fields are typically used
        when sending traffic with multiple 802.1q encapsulations to a network sensor
        (e.g. Zeek, Wireshark.)
      default_field: false
    - name: inner.vlan.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: inner.vlan.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name given by operators to sections of their network.
      example: Guest Wifi
    - name: packets
      level: core
      type: long
      description: 'Total packets transferred in both directions.

        If `source.packets` and `destination.packets` are known, `network.packets`
        is their sum.'
      example: 24
    - name: protocol
      level: core
      type: keyword
      ignore_above: 1024
      description: 'In the OSI Model this would be the Application Layer protocol.
        For example, `http`, `dns`, or `ssh`.

        The field value must be normalized to lowercase for querying.'
      example: http
    - name: transport
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Same as network.iana_number, but instead using the Keyword name
        of the transport layer (udp, tcp, ipv6-icmp, etc.)

        The field value must be normalized to lowercase for querying.'
      example: tcp
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
        ipsec, pim, etc

        The field value must be normalized to lowercase for querying.'
      example: ipv4
    - name: vlan.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: vlan.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
  - name: observer
    title: Observer
    group: 2
    description: 'An observer is defined as a special network, security, or application
      device used to detect, observe, or create network, security, or application-related
      events and metrics.

      This could be a custom hardware appliance or a server that has been configured
      to run special network, security, or application software. Examples include
      firewalls, web proxies, intrusion detection/prevention systems, network monitoring
      sensors, web application firewalls, data loss prevention systems, and APM servers.
      The observer.* fields shall be populated with details of the system, if any,
      that detects, observes and/or creates a network, security, or application event
      or metric. Message queues and ETL components used in processing events or metrics
      are not considered observers in ECS.'
    type: group
    default_field: true
    fields:
    - name: egress
      level: extended
      type: object
      description: Observer.egress holds information like interface number and name,
        vlan, and zone information to classify egress traffic.  Single armed monitoring
        such as a network sensor on a span port should only use observer.ingress to
        categorize traffic.
      default_field: false
    - name: egress.interface.alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface alias as reported by the system, typically used in firewall
        implementations for e.g. inside, outside, or dmz logical interface naming.
      example: outside
      default_field: false
    - name: egress.interface.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface ID as reported by an observer (typically SNMP interface
        ID).
      example: 10
      default_field: false
    - name: egress.interface.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface name as reported by the system.
      example: eth0
      default_field: false
    - name: egress.vlan.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: egress.vlan.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
    - name: egress.zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Network zone of outbound traffic as reported by the observer to
        categorize the destination area of egress traffic, e.g. Internal, External,
        DMZ, HR, Legal, etc.
      example: Public_Internet
      default_field: false
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: hostname
      level: core
      type: keyword
      ignore_above: 1024
      description: Hostname of the observer.
    - name: ingress
      level: extended
      type: object
      description: Observer.ingress holds information like interface number and name,
        vlan, and zone information to classify ingress traffic.  Single armed monitoring
        such as a network sensor on a span port should only use observer.ingress to
        categorize traffic.
      default_field: false
    - name: ingress.interface.alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface alias as reported by the system, typically used in firewall
        implementations for e.g. inside, outside, or dmz logical interface naming.
      example: outside
      default_field: false
    - name: ingress.interface.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface ID as reported by an observer (typically SNMP interface
        ID).
      example: 10
      default_field: false
    - name: ingress.interface.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Interface name as reported by the system.
      example: eth0
      default_field: false
    - name: ingress.vlan.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: ingress.vlan.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
    - name: ingress.zone
      level: extended
      type: keyword
      ignore_above: 1024
      description: Network zone of incoming traffic as reported by the observer to
        categorize the source area of ingress traffic. e.g. internal, External, DMZ,
        HR, Legal, etc.
      example: DMZ
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP addresses of the observer.
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC addresses of the observer.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Custom name of the observer.

        This is a name that can be given to an observer. This can be helpful for example
        if multiple firewalls of the same model are used in an organization.

        If no custom name is needed, the field can be left empty.'
      example: 1_proxySG
    - name: os.family
      level: extended
      type: keyword
      ignore_above: 1024
      description: OS family (such as redhat, debian, freebsd, windows).
      example: debian
    - name: os.full
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, including the version or code name.
      example: Mac OS Mojave
    - name: os.kernel
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system kernel version as a raw string.
      example: 4.4.0-112-generic
    - name: os.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, without the version.
      example: Mac OS X
    - name: os.platform
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system platform (such centos, ubuntu, windows).
      example: darwin
    - name: os.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Use the `os.type` field to categorize the operating system into
        one of the broad commercial families.

        One of these following values should be used (lowercase): linux, macos, unix,
        windows.

        If the OS you''re dealing with is not in the list, the field should not be
        populated. Please let us know by opening an issue with ECS, to propose its
        addition.'
      example: macos
      default_field: false
    - name: os.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system version as a raw string.
      example: 10.14.1
    - name: product
      level: extended
      type: keyword
      ignore_above: 1024
      description: The product name of the observer.
      example: s200
    - name: serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Observer serial number.
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The type of the observer the data is coming from.

        There is no predefined list of observer types. Some examples are `forwarder`,
        `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.'
      example: firewall
    - name: vendor
      level: core
      type: keyword
      ignore_above: 1024
      description: Vendor name of the observer.
      example: Symantec
    - name: version
      level: core
      type: keyword
      ignore_above: 1024
      description: Observer version.
  - name: orchestrator
    title: Orchestrator
    group: 2
    description: Fields that describe the resources which container orchestrators
      manage or act upon.
    type: group
    default_field: true
    fields:
    - name: api_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: API version being used to carry out the action
      example: v1beta1
      default_field: false
    - name: cluster.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the cluster.
      default_field: false
    - name: cluster.url
      level: extended
      type: keyword
      ignore_above: 1024
      description: URL of the API used to manage the cluster.
      default_field: false
    - name: cluster.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: The version of the cluster.
      default_field: false
    - name: namespace
      level: extended
      type: keyword
      ignore_above: 1024
      description: Namespace in which the action is taking place.
      example: kube-system
      default_field: false
    - name: organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: Organization affected by the event (for multi-tenant orchestrator
        setups).
      example: elastic
      default_field: false
    - name: resource.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the resource being acted upon.
      example: test-pod-cdcws
      default_field: false
    - name: resource.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Type of resource being acted upon.
      example: service
      default_field: false
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
      example: kubernetes
      default_field: false
  - name: organization
    title: Organization
    group: 2
    description: 'The organization fields enrich data with information about the company
      or entity the data is associated with.

      These fields help you arrange or filter data stored in an index by one or multiple
      organizations.'
    type: group
    default_field: true
    fields:
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the organization.
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
  - name: os
    title: Operating System
    group: 2
    description: The OS fields contain information about the operating system.
    type: group
    default_field: true
    fields:
    - name: family
      level: extended
      type: keyword
      ignore_above: 1024
      description: OS family (such as redhat, debian, freebsd, windows).
      example: debian
    - name: full
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, including the version or code name.
      example: Mac OS Mojave
    - name: kernel
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system kernel version as a raw string.
      example: 4.4.0-112-generic
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, without the version.
      example: Mac OS X
    - name: platform
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system platform (such centos, ubuntu, windows).
      example: darwin
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Use the `os.type` field to categorize the operating system into
        one of the broad commercial families.

        One of these following values should be used (lowercase): linux, macos, unix,
        windows.

        If the OS you''re dealing with is not in the list, the field should not be
        populated. Please let us know by opening an issue with ECS, to propose its
        addition.'
      example: macos
      default_field: false
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system version as a raw string.
      example: 10.14.1
  - name: package
    title: Package
    group: 2
    description: These fields contain information about an installed software package.
      It contains general information about a package, such as name, version or size.
      It also contains installation details, such as time or location.
    type: group
    default_field: true
    fields:
    - name: architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Package architecture.
      example: x86_64
    - name: build_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the build version of the installed
        package.

        For example use the commit SHA of a non-released package.'
      example: 36f4f7e89dd61b0988b12ee000b98966867710cd
      default_field: false
    - name: checksum
      level: extended
      type: keyword
      ignore_above: 1024
      description: Checksum of the installed package for verification.
      example: 68b329da9893e34099c7d8ad5cb9c940
    - name: description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Description of the package.
      example: Open source programming language to build simple/reliable/efficient
        software.
    - name: install_scope
      level: extended
      type: keyword
      ignore_above: 1024
      description: Indicating how the package was installed, e.g. user-local, global.
      example: global
    - name: installed
      level: extended
      type: date
      description: Time when package was installed.
    - name: license
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'License under which the package was released.

        Use a short name, e.g. the license identifier from SPDX License List where
        possible (https://spdx.org/licenses/).'
      example: Apache License 2.0
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Package name
      example: go
    - name: path
      level: extended
      type: keyword
      ignore_above: 1024
      description: Path where the package is installed.
      example: /usr/local/Cellar/go/1.12.9/
    - name: reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: Home page or reference URL of the software in this package, if
        available.
      example: https://golang.org
      default_field: false
    - name: size
      level: extended
      type: long
      format: string
      description: Package size in bytes.
      example: 62231
    - name: type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Type of package.

        This should contain the package file type, rather than the package manager
        name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
      example: rpm
      default_field: false
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Package version
      example: 1.12.9
  - name: pe
    title: PE Header
    group: 2
    description: These fields contain Windows Portable Executable (PE) metadata.
    type: group
    default_field: true
    fields:
    - name: architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
  - name: process
    title: Process
    group: 2
    description: 'These fields contain information about a process.

      These fields can help you correlate metrics information with a process id/name
      from a log message.  The `process.pid` often stays in the metric itself and
      is copied to the global field for correlation.'
    type: group
    default_field: true
    fields:
    - name: args
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of process arguments, starting with the absolute path to
        the executable.

        May be filtered to protect sensitive information.'
      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
    - name: args_count
      level: extended
      type: long
      description: 'Length of the process.args array.

        This field can be useful for querying or performing bucket analysis on how
        many arguments were provided to start a process. More arguments may be an
        indication of suspicious activity.'
      example: 4
      default_field: false
    - name: code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: command_line
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Full command line that started the process, including the absolute
        path to the executable, and all arguments.

        Some arguments may be filtered to protect sensitive information.'
      example: /usr/bin/ssh -l user 10.0.0.16
      default_field: false
    - name: elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: end
      level: extended
      type: date
      description: The time the process ended.
      example: '2016-05-23T08:05:34.853Z'
      default_field: false
    - name: entity_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier for the process.

        The implementation of this is specified by the data source, but some examples
        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
        or a hash of some uniquely identifying components of a process.

        Constructing a globally unique identifier is a common practice to mitigate
        PID reuse as well as to identify a specific process over time, across multiple
        monitored hosts.'
      example: c2c455d9f99375d
      default_field: false
    - name: executable
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Absolute path to the process executable.
      example: /usr/bin/ssh
    - name: exit_code
      level: extended
      type: long
      description: 'The exit code of the process, if this is a termination event.

        The field should be absent if there is no exit code for the event (e.g. process
        start).'
      example: 137
      default_field: false
    - name: hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
    - name: hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
    - name: hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
    - name: hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
    - name: hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: 'Process name.

        Sometimes called program name or similar.'
      example: ssh
    - name: parent.args
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of process arguments, starting with the absolute path to
        the executable.

        May be filtered to protect sensitive information.'
      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
      default_field: false
    - name: parent.args_count
      level: extended
      type: long
      description: 'Length of the process.args array.

        This field can be useful for querying or performing bucket analysis on how
        many arguments were provided to start a process. More arguments may be an
        indication of suspicious activity.'
      example: 4
      default_field: false
    - name: parent.code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: parent.code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: parent.code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: parent.code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: parent.code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: parent.code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: parent.code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: parent.code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: parent.code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: parent.command_line
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Full command line that started the process, including the absolute
        path to the executable, and all arguments.

        Some arguments may be filtered to protect sensitive information.'
      example: /usr/bin/ssh -l user 10.0.0.16
      default_field: false
    - name: parent.elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: parent.elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: parent.elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: parent.elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: parent.elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: parent.elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: parent.elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: parent.elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: parent.elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: parent.elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: parent.elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: parent.elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: parent.elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: parent.elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: parent.elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: parent.elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: parent.elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: parent.elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: parent.elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: parent.elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: parent.elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: parent.elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: parent.elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: parent.elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: parent.elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: parent.elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: parent.elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: parent.elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: parent.elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: parent.end
      level: extended
      type: date
      description: The time the process ended.
      example: '2016-05-23T08:05:34.853Z'
      default_field: false
    - name: parent.entity_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier for the process.

        The implementation of this is specified by the data source, but some examples
        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
        or a hash of some uniquely identifying components of a process.

        Constructing a globally unique identifier is a common practice to mitigate
        PID reuse as well as to identify a specific process over time, across multiple
        monitored hosts.'
      example: c2c455d9f99375d
      default_field: false
    - name: parent.executable
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Absolute path to the process executable.
      example: /usr/bin/ssh
      default_field: false
    - name: parent.exit_code
      level: extended
      type: long
      description: 'The exit code of the process, if this is a termination event.

        The field should be absent if there is no exit code for the event (e.g. process
        start).'
      example: 137
      default_field: false
    - name: parent.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
      default_field: false
    - name: parent.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
      default_field: false
    - name: parent.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
      default_field: false
    - name: parent.hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
      default_field: false
    - name: parent.hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: parent.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Process name.

        Sometimes called program name or similar.'
      example: ssh
      default_field: false
    - name: parent.pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: parent.pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: parent.pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: parent.pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: parent.pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: parent.pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: parent.pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: parent.pgid
      level: extended
      type: long
      format: string
      description: Identifier of the group of processes the process belongs to.
      default_field: false
    - name: parent.pid
      level: core
      type: long
      format: string
      description: Process id.
      example: 4242
      default_field: false
    - name: parent.start
      level: extended
      type: date
      description: The time the process started.
      example: '2016-05-23T08:05:34.853Z'
      default_field: false
    - name: parent.thread.id
      level: extended
      type: long
      format: string
      description: Thread ID.
      example: 4242
      default_field: false
    - name: parent.thread.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Thread name.
      example: thread-0
      default_field: false
    - name: parent.title
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Process title.

        The proctitle, some times the same as process name. Can also be different:
        for example a browser setting its title to the web page currently opened.'
      default_field: false
    - name: parent.uptime
      level: extended
      type: long
      description: Seconds the process has been up.
      example: 1325
      default_field: false
    - name: parent.working_directory
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: The working directory of the process.
      example: /home/alice
      default_field: false
    - name: pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: pgid
      level: extended
      type: long
      format: string
      description: Identifier of the group of processes the process belongs to.
    - name: pid
      level: core
      type: long
      format: string
      description: Process id.
      example: 4242
    - name: start
      level: extended
      type: date
      description: The time the process started.
      example: '2016-05-23T08:05:34.853Z'
    - name: thread.id
      level: extended
      type: long
      format: string
      description: Thread ID.
      example: 4242
    - name: thread.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Thread name.
      example: thread-0
    - name: title
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: 'Process title.

        The proctitle, some times the same as process name. Can also be different:
        for example a browser setting its title to the web page currently opened.'
    - name: uptime
      level: extended
      type: long
      description: Seconds the process has been up.
      example: 1325
    - name: working_directory
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: The working directory of the process.
      example: /home/alice
  - name: registry
    title: Registry
    group: 2
    description: Fields related to Windows Registry operations.
    type: group
    default_field: true
    fields:
    - name: data.bytes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Original bytes written with base64 encoding.

        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
        corresponds to the data pointed by `lp_data`. This is optional but provides
        better recoverability and should be populated for REG_BINARY encoded values.'
      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
      default_field: false
    - name: data.strings
      level: core
      type: wildcard
      description: 'Content when writing string types.

        Populated as an array when writing string data to the registry. For single
        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
        one string. For sequences of string with REG_MULTI_SZ, this array will be
        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
        be populated with the decimal representation (e.g `"1"`).'
      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
      default_field: false
    - name: data.type
      level: core
      type: keyword
      ignore_above: 1024
      description: Standard registry type for encoding contents
      example: REG_SZ
      default_field: false
    - name: hive
      level: core
      type: keyword
      ignore_above: 1024
      description: Abbreviated name for the hive.
      example: HKLM
      default_field: false
    - name: key
      level: core
      type: keyword
      ignore_above: 1024
      description: Hive-relative path of keys.
      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
      default_field: false
    - name: path
      level: core
      type: keyword
      ignore_above: 1024
      description: Full path, including hive, key and value
      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
        Options\winword.exe\Debugger
      default_field: false
    - name: value
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the value written.
      example: Debugger
      default_field: false
  - name: related
    title: Related
    group: 2
    description: 'This field set is meant to facilitate pivoting around a piece of
      data.

      Some pieces of information can be seen in many places in an ECS event. To facilitate
      searching for them, store an array of all seen values to their corresponding
      field in `related.`.

      A concrete example is IP addresses, which can be under host, observer, source,
      destination, client, server, and network.forwarded_ip. If you append all IPs
      to `related.ip`, you can then search for a given IP trivially, no matter where
      it appeared, by querying `related.ip:192.0.2.15`.'
    type: group
    default_field: true
    fields:
    - name: hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: All the hashes seen on your event. Populating this field, then
        using it to search for hashes can help in situations where you're unsure what
        the hash algorithm is (and therefore which key name to search).
      default_field: false
    - name: hosts
      level: extended
      type: keyword
      ignore_above: 1024
      description: All hostnames or other host identifiers seen on your event. Example
        identifiers include FQDNs, domain names, workstation names, or aliases.
      default_field: false
    - name: ip
      level: extended
      type: ip
      description: All of the IPs seen on your event.
    - name: user
      level: extended
      type: keyword
      ignore_above: 1024
      description: All the user names or other user identifiers seen on the event.
      default_field: false
  - name: rule
    title: Rule
    group: 2
    description: 'Rule fields are used to capture the specifics of any observer or
      agent rules that generate alerts or other notable events.

      Examples of data sources that would populate the rule fields include: network
      admission control platforms, network or host IDS/IPS, network firewalls, web
      application firewalls, url filters, endpoint detection and response (EDR) systems,
      etc.'
    type: group
    default_field: true
    fields:
    - name: author
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name, organization, or pseudonym of the author or authors who created
        the rule used to generate this event.
      example: '["Star-Lord"]'
      default_field: false
    - name: category
      level: extended
      type: keyword
      ignore_above: 1024
      description: A categorization value keyword used by the entity using the rule
        for detection of this event.
      example: Attempted Information Leak
      default_field: false
    - name: description
      level: extended
      type: keyword
      ignore_above: 1024
      description: The description of the rule generating the event.
      example: Block requests to public DNS over HTTPS / TLS protocols
      default_field: false
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: A rule ID that is unique within the scope of an agent, observer,
        or other entity using the rule for detection of this event.
      example: 101
      default_field: false
    - name: license
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the license under which the rule used to generate this
        event is made available.
      example: Apache 2.0
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the rule or signature generating the event.
      example: BLOCK_DNS_over_TLS
      default_field: false
    - name: reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Reference URL to additional information about the rule used to
        generate this event.

        The URL can point to the vendor''s documentation about the rule. If that''s
        not available, it can also be a link to a more general page describing this
        type of alert.'
      example: https://en.wikipedia.org/wiki/DNS_over_TLS
      default_field: false
    - name: ruleset
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the ruleset, policy, group, or parent category in which
        the rule used to generate this event is a member.
      example: Standard_Protocol_Filters
      default_field: false
    - name: uuid
      level: extended
      type: keyword
      ignore_above: 1024
      description: A rule ID that is unique within the scope of a set or group of
        agents, observers, or other entities using the rule for detection of this
        event.
      example: 1100110011
      default_field: false
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: The version / revision of the rule being used for analysis.
      example: 1.1
      default_field: false
  - name: server
    title: Server
    group: 2
    description: 'A Server is defined as the responder in a network connection for
      events regarding sessions, connections, or bidirectional flow records.

      For TCP events, the server is the receiver of the initial SYN packet(s) of the
      TCP connection. For other protocols, the server is generally the responder in
      the network transaction. Some systems actually use the term "responder" to refer
      the server in TCP connections. The server fields describe details about the
      system acting as the server in the network event. Server fields are usually
      populated in conjunction with client fields. Server fields are generally not
      populated for packet-level events.

      Client / server representations can add semantic context to an exchange, which
      is helpful to visualize the data in certain situations. If your context falls
      in that category, you should still ensure that source and destination are filled
      appropriately.'
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Some event server addresses are defined ambiguously. The event
        will sometimes list an IP, a domain or a unix socket.  You should always store
        the raw address in the `.address` field.

        Then it should be duplicated to `.ip` or `.domain`, depending on which one
        it is.'
    - name: as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
    - name: bytes
      level: core
      type: long
      format: bytes
      description: Bytes sent from the server to the client.
      example: 184
    - name: domain
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The domain name of the server system.

        This value may be a host name, a fully qualified domain name, or another host
        naming format. The value may derive from the original event or be added from
        enrichment.'
      example: foo.example.com
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP address of the server (IPv4 or IPv6).
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC address of the server.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: 00-00-5E-00-53-23
    - name: nat.ip
      level: extended
      type: ip
      description: 'Translated ip of destination based NAT sessions (e.g. internet
        to private DMZ)

        Typically used with load balancers, firewalls, or routers.'
    - name: nat.port
      level: extended
      type: long
      format: string
      description: 'Translated port of destination based NAT sessions (e.g. internet
        to private DMZ)

        Typically used with load balancers, firewalls, or routers.'
    - name: packets
      level: core
      type: long
      description: Packets sent from the server to the client.
      example: 12
    - name: port
      level: core
      type: long
      format: string
      description: Port of the server.
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered server domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: user.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: user.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: user.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: user.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: user.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: user.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: user.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: user.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: service
    title: Service
    group: 2
    description: 'The service fields describe the service for or from which the data
      was collected.

      These fields help you find and correlate logs for a specific service and version.'
    footnote: The service fields may be self-nested under service.origin.* and service.target.*  to
      describe origin or target services in the context of incoming or outgoing requests,  respectively.
      However, the fieldsets service.origin.* and service.target.* must not be confused
      with  the root service fieldset that is used to describe the actual service
      under observation. The fieldset service.origin.* may only be used in the context
      of incoming requests or  events to describe the originating service of the request.
      The fieldset service.target.*  may only be used in the context of outgoing requests
      or events to describe the target  service of the request.
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Address where data about this service was collected from.

        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
        path (sockets).'
      example: 172.26.0.2:5432
      default_field: false
    - name: environment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Identifies the environment where the service is running.

        If the same service runs in different environments (production, staging, QA,
        development, etc.), the environment can identify other instances of the same
        service. Can also group services and applications from the same environment.'
      example: production
      default_field: false
    - name: ephemeral_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Ephemeral identifier of this service (if one exists).

        This id normally changes across restarts, but `service.id` does not.'
      example: 8a4f500f
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier of the running service. If the service is comprised
        of many nodes, the `service.id` should be the same for all nodes.

        This id should uniquely identify the service. This makes it possible to correlate
        logs and metrics for one specific service, no matter which particular node
        emitted the event.

        Note that if you need to see the events from one specific host of the service,
        you should filter on that `host.name` or `host.id` instead.'
      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the service data is collected from.

        The name of the service is normally user given. This allows for distributed
        services that run on multiple hosts to correlate the related instances based
        on the name.

        In the case of Elasticsearch the `service.name` could contain the cluster
        name. For Beats the `service.name` is by default a copy of the `service.type`
        field if no name is specified.'
      example: elasticsearch-metrics
    - name: node.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of a service node.

        This allows for two nodes of the same service running on the same host to
        be differentiated. Therefore, `service.node.name` should typically be unique
        across nodes of a given service.

        In the case of Elasticsearch, the `service.node.name` could contain the unique
        node name within the Elasticsearch cluster. In cases where the service doesn''t
        have the concept of a node name, the host name or container name can be used
        to distinguish running instances that make up this service. If those do not
        provide uniqueness (e.g. multiple instances of the service running on the
        same host) - the node name can be manually set.'
      example: instance-0000000016
    - name: origin.address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Address where data about this service was collected from.

        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
        path (sockets).'
      example: 172.26.0.2:5432
      default_field: false
    - name: origin.environment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Identifies the environment where the service is running.

        If the same service runs in different environments (production, staging, QA,
        development, etc.), the environment can identify other instances of the same
        service. Can also group services and applications from the same environment.'
      example: production
      default_field: false
    - name: origin.ephemeral_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Ephemeral identifier of this service (if one exists).

        This id normally changes across restarts, but `service.id` does not.'
      example: 8a4f500f
      default_field: false
    - name: origin.id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier of the running service. If the service is comprised
        of many nodes, the `service.id` should be the same for all nodes.

        This id should uniquely identify the service. This makes it possible to correlate
        logs and metrics for one specific service, no matter which particular node
        emitted the event.

        Note that if you need to see the events from one specific host of the service,
        you should filter on that `host.name` or `host.id` instead.'
      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
      default_field: false
    - name: origin.name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the service data is collected from.

        The name of the service is normally user given. This allows for distributed
        services that run on multiple hosts to correlate the related instances based
        on the name.

        In the case of Elasticsearch the `service.name` could contain the cluster
        name. For Beats the `service.name` is by default a copy of the `service.type`
        field if no name is specified.'
      example: elasticsearch-metrics
      default_field: false
    - name: origin.node.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of a service node.

        This allows for two nodes of the same service running on the same host to
        be differentiated. Therefore, `service.node.name` should typically be unique
        across nodes of a given service.

        In the case of Elasticsearch, the `service.node.name` could contain the unique
        node name within the Elasticsearch cluster. In cases where the service doesn''t
        have the concept of a node name, the host name or container name can be used
        to distinguish running instances that make up this service. If those do not
        provide uniqueness (e.g. multiple instances of the service running on the
        same host) - the node name can be manually set.'
      example: instance-0000000016
      default_field: false
    - name: origin.state
      level: core
      type: keyword
      ignore_above: 1024
      description: Current state of the service.
      default_field: false
    - name: origin.type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The type of the service data is collected from.

        The type can be used to group and correlate logs and metrics from one service
        type.

        Example: If logs or metrics are collected from Elasticsearch, `service.type`
        would be `elasticsearch`.'
      example: elasticsearch
      default_field: false
    - name: origin.version
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Version of the service the data was collected from.

        This allows to look at a data set only for a specific version of a service.'
      example: 3.2.4
      default_field: false
    - name: state
      level: core
      type: keyword
      ignore_above: 1024
      description: Current state of the service.
    - name: target.address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Address where data about this service was collected from.

        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
        path (sockets).'
      example: 172.26.0.2:5432
      default_field: false
    - name: target.environment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Identifies the environment where the service is running.

        If the same service runs in different environments (production, staging, QA,
        development, etc.), the environment can identify other instances of the same
        service. Can also group services and applications from the same environment.'
      example: production
      default_field: false
    - name: target.ephemeral_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Ephemeral identifier of this service (if one exists).

        This id normally changes across restarts, but `service.id` does not.'
      example: 8a4f500f
      default_field: false
    - name: target.id
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Unique identifier of the running service. If the service is comprised
        of many nodes, the `service.id` should be the same for all nodes.

        This id should uniquely identify the service. This makes it possible to correlate
        logs and metrics for one specific service, no matter which particular node
        emitted the event.

        Note that if you need to see the events from one specific host of the service,
        you should filter on that `host.name` or `host.id` instead.'
      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
      default_field: false
    - name: target.name
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Name of the service data is collected from.

        The name of the service is normally user given. This allows for distributed
        services that run on multiple hosts to correlate the related instances based
        on the name.

        In the case of Elasticsearch the `service.name` could contain the cluster
        name. For Beats the `service.name` is by default a copy of the `service.type`
        field if no name is specified.'
      example: elasticsearch-metrics
      default_field: false
    - name: target.node.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of a service node.

        This allows for two nodes of the same service running on the same host to
        be differentiated. Therefore, `service.node.name` should typically be unique
        across nodes of a given service.

        In the case of Elasticsearch, the `service.node.name` could contain the unique
        node name within the Elasticsearch cluster. In cases where the service doesn''t
        have the concept of a node name, the host name or container name can be used
        to distinguish running instances that make up this service. If those do not
        provide uniqueness (e.g. multiple instances of the service running on the
        same host) - the node name can be manually set.'
      example: instance-0000000016
      default_field: false
    - name: target.state
      level: core
      type: keyword
      ignore_above: 1024
      description: Current state of the service.
      default_field: false
    - name: target.type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The type of the service data is collected from.

        The type can be used to group and correlate logs and metrics from one service
        type.

        Example: If logs or metrics are collected from Elasticsearch, `service.type`
        would be `elasticsearch`.'
      example: elasticsearch
      default_field: false
    - name: target.version
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Version of the service the data was collected from.

        This allows to look at a data set only for a specific version of a service.'
      example: 3.2.4
      default_field: false
    - name: type
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The type of the service data is collected from.

        The type can be used to group and correlate logs and metrics from one service
        type.

        Example: If logs or metrics are collected from Elasticsearch, `service.type`
        would be `elasticsearch`.'
      example: elasticsearch
    - name: version
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Version of the service the data was collected from.

        This allows to look at a data set only for a specific version of a service.'
      example: 3.2.4
  - name: source
    title: Source
    group: 2
    description: 'Source fields capture details about the sender of a network exchange/packet.
      These fields are populated from a network event, packet, or other event containing
      details of a network transaction.

      Source fields are usually populated in conjunction with destination fields.
      The source and destination fields are considered the baseline and should always
      be filled if an event contains source and destination details from a network
      transaction. If the event also contains identification of the client and server
      roles, then the client and server fields should also be populated.'
    type: group
    default_field: true
    fields:
    - name: address
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Some event source addresses are defined ambiguously. The event
        will sometimes list an IP, a domain or a unix socket.  You should always store
        the raw address in the `.address` field.

        Then it should be duplicated to `.ip` or `.domain`, depending on which one
        it is.'
    - name: as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
    - name: as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Organization name.
      example: Google LLC
    - name: bytes
      level: core
      type: long
      format: bytes
      description: Bytes sent from the source to the destination.
      example: 184
    - name: domain
      level: core
      type: keyword
      ignore_above: 1024
      description: 'The domain name of the source system.

        This value may be a host name, a fully qualified domain name, or another host
        naming format. The value may derive from the original event or be added from
        enrichment.'
      example: foo.example.com
    - name: geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
    - name: geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
    - name: geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
    - name: geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
    - name: geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
    - name: geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
    - name: geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
    - name: geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
    - name: geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: ip
      level: core
      type: ip
      description: IP address of the source (IPv4 or IPv6).
    - name: mac
      level: core
      type: keyword
      ignore_above: 1024
      description: 'MAC address of the source.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
        byte) is represented by two [uppercase] hexadecimal digits giving the value
        of the octet as an unsigned integer. Successive octets are separated by a
        hyphen.'
      example: 00-00-5E-00-53-23
    - name: nat.ip
      level: extended
      type: ip
      description: 'Translated ip of source based NAT sessions (e.g. internal client
        to internet)

        Typically connections traversing load balancers, firewalls, or routers.'
    - name: nat.port
      level: extended
      type: long
      format: string
      description: 'Translated port of source based NAT sessions. (e.g. internal client
        to internet)

        Typically used with load balancers, firewalls, or routers.'
    - name: packets
      level: core
      type: long
      description: Packets sent from the source to the destination.
      example: 12
    - name: port
      level: core
      type: long
      format: string
      description: Port of the source.
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered source domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: user.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: user.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: user.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: user.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: user.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: user.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: user.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: user.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: user.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: threat
    title: Threat
    group: 2
    description: "Fields to classify events and alerts according to a threat taxonomy\
      \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
      \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
      \ The threat.tactic.* fields are meant to capture the high level category of\
      \ the threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture\
      \ which kind of approach is used by this detected threat, to accomplish the\
      \ goal (e.g. \"endpoint denial of service\")."
    type: group
    default_field: true
    fields:
    - name: enrichments
      level: extended
      type: nested
      description: A list of associated indicators objects enriching the event, and
        the context of that association/enrichment.
      default_field: false
    - name: enrichments.indicator
      level: extended
      type: object
      description: Object containing associated indicators enriching the event.
      default_field: false
    - name: enrichments.indicator.as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
      default_field: false
    - name: enrichments.indicator.as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Organization name.
      example: Google LLC
      default_field: false
    - name: enrichments.indicator.confidence
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
        \ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
        \ Vendor-specific confidence scales may be added as custom fields.\nExpected\
        \ values are:\n  * Not Specified\n  * None\n  * Low\n  * Medium\n  * High"
      example: Medium
      default_field: false
    - name: enrichments.indicator.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Describes the type of action conducted by the threat.
      example: IP x.x.x.x was observed delivering the Angler EK.
      default_field: false
    - name: enrichments.indicator.email.address
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies a threat indicator as an email address (irrespective
        of direction).
      example: phish@example.com
      default_field: false
    - name: enrichments.indicator.file.accessed
      level: extended
      type: date
      description: 'Last time the file was accessed.

        Note that not all filesystems keep track of access time.'
      default_field: false
    - name: enrichments.indicator.file.attributes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of file attributes.

        Attributes names will vary by platform. Here''s a non-exhaustive list of values
        that are expected in this field: archive, compressed, directory, encrypted,
        execute, hidden, read, readonly, system, write.'
      example: '["readonly", "system"]'
      default_field: false
    - name: enrichments.indicator.file.code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: enrichments.indicator.file.code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: enrichments.indicator.file.code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: enrichments.indicator.file.code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: enrichments.indicator.file.code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: enrichments.indicator.file.code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: enrichments.indicator.file.code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: enrichments.indicator.file.code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: enrichments.indicator.file.code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: enrichments.indicator.file.created
      level: extended
      type: date
      description: 'File creation time.

        Note that not all filesystems store the creation time.'
      default_field: false
    - name: enrichments.indicator.file.ctime
      level: extended
      type: date
      description: 'Last time the file attributes or metadata changed.

        Note that changes to the file content will update `mtime`. This implies `ctime`
        will be adjusted at the same time, since `mtime` is an attribute of the file.'
      default_field: false
    - name: enrichments.indicator.file.device
      level: extended
      type: keyword
      ignore_above: 1024
      description: Device that is the source of the file.
      example: sda
      default_field: false
    - name: enrichments.indicator.file.directory
      level: extended
      type: keyword
      ignore_above: 1024
      description: Directory where the file is located. It should include the drive
        letter, when appropriate.
      example: /home/alice
      default_field: false
    - name: enrichments.indicator.file.drive_letter
      level: extended
      type: keyword
      ignore_above: 1
      description: 'Drive letter where the file is located. This field is only relevant
        on Windows.

        The value should be uppercase, and not include the colon.'
      example: C
      default_field: false
    - name: enrichments.indicator.file.elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: enrichments.indicator.file.elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: enrichments.indicator.file.elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: enrichments.indicator.file.elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: enrichments.indicator.file.elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: enrichments.indicator.file.elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: enrichments.indicator.file.elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: enrichments.indicator.file.elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: enrichments.indicator.file.elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: enrichments.indicator.file.elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: enrichments.indicator.file.elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: enrichments.indicator.file.elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: enrichments.indicator.file.elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: enrichments.indicator.file.elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: enrichments.indicator.file.elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: enrichments.indicator.file.elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: enrichments.indicator.file.elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: enrichments.indicator.file.elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: enrichments.indicator.file.elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: enrichments.indicator.file.elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: enrichments.indicator.file.elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: enrichments.indicator.file.elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: enrichments.indicator.file.extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'File extension, excluding the leading dot.

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
      default_field: false
    - name: enrichments.indicator.file.fork_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A fork is additional data associated with a filesystem object.

        On Linux, a resource fork is used to store additional data with a filesystem
        object. A file always has at least one fork for the data portion, and additional
        forks may exist.

        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
        data stream for a file is just called $DATA. Zone.Identifier is commonly used
        by Windows to track contents downloaded from the Internet. An ADS is typically
        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
        is the value that should populate `fork_name`. `filename.extension` should
        populate `file.name`, and `extension` should populate `file.extension`. The
        full path, `file.path`, will include the fork name.'
      example: Zone.Identifer
      default_field: false
    - name: enrichments.indicator.file.gid
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group ID (GID) of the file.
      example: '1001'
      default_field: false
    - name: enrichments.indicator.file.group
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group name of the file.
      example: alice
      default_field: false
    - name: enrichments.indicator.file.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
      default_field: false
    - name: enrichments.indicator.file.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
      default_field: false
    - name: enrichments.indicator.file.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
      default_field: false
    - name: enrichments.indicator.file.hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
      default_field: false
    - name: enrichments.indicator.file.hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: enrichments.indicator.file.inode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Inode representing the file in the filesystem.
      example: '256383'
      default_field: false
    - name: enrichments.indicator.file.mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: MIME type should identify the format of the file or stream of bytes
        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
        official types], where possible. When more than one type is applicable, the
        most specific type should be used.
      default_field: false
    - name: enrichments.indicator.file.mode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Mode of the file in octal representation.
      example: '0640'
      default_field: false
    - name: enrichments.indicator.file.mtime
      level: extended
      type: date
      description: Last time the file content was modified.
      default_field: false
    - name: enrichments.indicator.file.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the file including the extension, without the directory.
      example: example.png
      default_field: false
    - name: enrichments.indicator.file.owner
      level: extended
      type: keyword
      ignore_above: 1024
      description: File owner's username.
      example: alice
      default_field: false
    - name: enrichments.indicator.file.path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Full path to the file, including the file name. It should include
        the drive letter, when appropriate.
      example: /home/alice/example.png
      default_field: false
    - name: enrichments.indicator.file.pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: enrichments.indicator.file.pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: enrichments.indicator.file.pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: enrichments.indicator.file.pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: enrichments.indicator.file.pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: enrichments.indicator.file.pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: enrichments.indicator.file.pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: enrichments.indicator.file.size
      level: extended
      type: long
      description: 'File size in bytes.

        Only relevant when `file.type` is "file".'
      example: 16384
      default_field: false
    - name: enrichments.indicator.file.target_path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Target path for symlinks.
      default_field: false
    - name: enrichments.indicator.file.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: File type (file, dir, or symlink).
      example: file
      default_field: false
    - name: enrichments.indicator.file.uid
      level: extended
      type: keyword
      ignore_above: 1024
      description: The user ID (UID) or security identifier (SID) of the file owner.
      example: '1001'
      default_field: false
    - name: enrichments.indicator.file.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: enrichments.indicator.file.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: enrichments.indicator.file.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: enrichments.indicator.file.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: enrichments.indicator.file.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: enrichments.indicator.file.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: enrichments.indicator.file.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: enrichments.indicator.file.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: enrichments.indicator.file.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: enrichments.indicator.file.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: enrichments.indicator.file.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: enrichments.indicator.file.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: enrichments.indicator.file.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: enrichments.indicator.file.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: enrichments.indicator.file.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: enrichments.indicator.file.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: enrichments.indicator.file.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: enrichments.indicator.file.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: enrichments.indicator.first_seen
      level: extended
      type: date
      description: The date and time when intelligence source first reported sighting
        this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: enrichments.indicator.geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
      default_field: false
    - name: enrichments.indicator.geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: enrichments.indicator.geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
      default_field: false
    - name: enrichments.indicator.geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
      default_field: false
    - name: enrichments.indicator.geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
      default_field: false
    - name: enrichments.indicator.geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
      default_field: false
    - name: enrichments.indicator.geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
      default_field: false
    - name: enrichments.indicator.geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: enrichments.indicator.geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
      default_field: false
    - name: enrichments.indicator.geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
      default_field: false
    - name: enrichments.indicator.geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: enrichments.indicator.ip
      level: extended
      type: ip
      description: Identifies a threat indicator as an IP address (irrespective of
        direction).
      example: 1.2.3.4
      default_field: false
    - name: enrichments.indicator.last_seen
      level: extended
      type: date
      description: The date and time when intelligence source last reported sighting
        this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: enrichments.indicator.marking.tlp
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
      example: White
      default_field: false
    - name: enrichments.indicator.modified_at
      level: extended
      type: date
      description: The date and time when intelligence source last modified information
        for this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: enrichments.indicator.port
      level: extended
      type: long
      description: Identifies a threat indicator as a port number (irrespective of
        direction).
      example: 443
      default_field: false
    - name: enrichments.indicator.provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the indicator's provider.
      example: lrz_urlhaus
      default_field: false
    - name: enrichments.indicator.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: Reference URL linking to additional information about this indicator.
      example: https://system.example.com/indicator/0001234
      default_field: false
    - name: enrichments.indicator.registry.data.bytes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Original bytes written with base64 encoding.

        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
        corresponds to the data pointed by `lp_data`. This is optional but provides
        better recoverability and should be populated for REG_BINARY encoded values.'
      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
      default_field: false
    - name: enrichments.indicator.registry.data.strings
      level: core
      type: wildcard
      description: 'Content when writing string types.

        Populated as an array when writing string data to the registry. For single
        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
        one string. For sequences of string with REG_MULTI_SZ, this array will be
        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
        be populated with the decimal representation (e.g `"1"`).'
      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
      default_field: false
    - name: enrichments.indicator.registry.data.type
      level: core
      type: keyword
      ignore_above: 1024
      description: Standard registry type for encoding contents
      example: REG_SZ
      default_field: false
    - name: enrichments.indicator.registry.hive
      level: core
      type: keyword
      ignore_above: 1024
      description: Abbreviated name for the hive.
      example: HKLM
      default_field: false
    - name: enrichments.indicator.registry.key
      level: core
      type: keyword
      ignore_above: 1024
      description: Hive-relative path of keys.
      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
      default_field: false
    - name: enrichments.indicator.registry.path
      level: core
      type: keyword
      ignore_above: 1024
      description: Full path, including hive, key and value
      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
        Options\winword.exe\Debugger
      default_field: false
    - name: enrichments.indicator.registry.value
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the value written.
      example: Debugger
      default_field: false
    - name: enrichments.indicator.scanner_stats
      level: extended
      type: long
      description: Count of AV/EDR vendors that successfully detected malicious file
        or URL.
      example: 4
      default_field: false
    - name: enrichments.indicator.sightings
      level: extended
      type: long
      description: Number of times this indicator was observed conducting threat activity.
      example: 20
      default_field: false
    - name: enrichments.indicator.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\
        \ Recommended values:\n  * autonomous-system\n  * artifact\n  * directory\n\
        \  * domain-name\n  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n\
        \  * mac-addr\n  * mutex\n  * port\n  * process\n  * software\n  * url\n \
        \ * user-account\n  * windows-registry-key\n  * x509-certificate"
      example: ipv4-addr
      default_field: false
    - name: enrichments.indicator.url.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Domain of the url, such as "www.elastic.co".

        In some cases a URL may refer to an IP and/or port directly, without a domain
        name. In this case, the IP address would go to the `domain` field.

        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
        2732), the `[` and `]` characters should also be captured in the `domain`
        field.'
      example: www.elastic.co
      default_field: false
    - name: enrichments.indicator.url.extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The field contains the file extension from the original request
        url, excluding the leading dot.

        The file extension is only set if it exists, as not every url has a file extension.

        The leading period must not be included. For example, the value must be "png",
        not ".png".

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
      default_field: false
    - name: enrichments.indicator.url.fragment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Portion of the url after the `#`, such as "top".

        The `#` is not part of the fragment.'
      default_field: false
    - name: enrichments.indicator.url.full
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: If full URLs are important to your use case, they should be stored
        in `url.full`, whether this field is reconstructed or present in the event
        source.
      example: https://www.elastic.co:443/search?q=elasticsearch#top
      default_field: false
    - name: enrichments.indicator.url.original
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Unmodified original url as seen in the event source.

        Note that in network monitoring, the observed URL may be a full URL, whereas
        in access logs, the URL is often just represented as a path.

        This field is meant to represent the URL as it was observed, complete or not.'
      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
      default_field: false
    - name: enrichments.indicator.url.password
      level: extended
      type: keyword
      ignore_above: 1024
      description: Password of the request.
      default_field: false
    - name: enrichments.indicator.url.path
      level: extended
      type: wildcard
      description: Path of the request, such as "/search".
      default_field: false
    - name: enrichments.indicator.url.port
      level: extended
      type: long
      format: string
      description: Port of the request, such as 443.
      example: 443
      default_field: false
    - name: enrichments.indicator.url.query
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The query field describes the query string of the request, such
        as "q=elasticsearch".

        The `?` is excluded from the query string. If a URL contains no `?`, there
        is no query field. If there is a `?` but no query, the query field exists
        with an empty string. The `exists` query can be used to differentiate between
        the two cases.'
      default_field: false
    - name: enrichments.indicator.url.registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered url domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
      default_field: false
    - name: enrichments.indicator.url.scheme
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Scheme of the request, such as "https".

        Note: The `:` is not part of the scheme.'
      example: https
      default_field: false
    - name: enrichments.indicator.url.subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: enrichments.indicator.url.top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
      default_field: false
    - name: enrichments.indicator.url.username
      level: extended
      type: keyword
      ignore_above: 1024
      description: Username of the request.
      default_field: false
    - name: enrichments.indicator.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: enrichments.indicator.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: enrichments.indicator.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: enrichments.indicator.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: enrichments.indicator.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: enrichments.indicator.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: enrichments.indicator.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: enrichments.indicator.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: enrichments.indicator.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: enrichments.indicator.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: enrichments.indicator.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: enrichments.indicator.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: enrichments.indicator.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: enrichments.indicator.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: enrichments.indicator.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: enrichments.indicator.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: enrichments.indicator.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: enrichments.indicator.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: enrichments.indicator.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: enrichments.indicator.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: enrichments.indicator.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: enrichments.indicator.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: enrichments.indicator.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: enrichments.indicator.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: enrichments.matched.atomic
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the atomic indicator value that matched a local environment
        endpoint or network event.
      example: bad-domain.com
      default_field: false
    - name: enrichments.matched.field
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the field of the atomic indicator that matched a local
        environment endpoint or network event.
      example: file.hash.sha256
      default_field: false
    - name: enrichments.matched.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the _id of the indicator document enriching the event.
      example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
      default_field: false
    - name: enrichments.matched.index
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the _index of the indicator document enriching the event.
      example: filebeat-8.0.0-2021.05.23-000011
      default_field: false
    - name: enrichments.matched.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies the type of match that caused the event to be enriched
        with the given indicator
      example: indicator_match_rule
      default_field: false
    - name: framework
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the threat framework used to further categorize and classify
        the tactic and technique of the reported threat. Framework classification
        can be provided by detecting systems, evaluated at ingest time, or retrospectively
        tagged to events.
      example: MITRE ATT&CK
    - name: group.alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The alias(es) of the group for a set of related intrusion activity\
        \ that are tracked by a common name in the security community.\nWhile not\
        \ required, you can use a MITRE ATT&CK\xAE group alias(es)."
      example: '[ "Magecart Group 6" ]'
      default_field: false
    - name: group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The id of the group for a set of related intrusion activity that\
        \ are tracked by a common name in the security community.\nWhile not required,\
        \ you can use a MITRE ATT&CK\xAE group id."
      example: G0037
      default_field: false
    - name: group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The name of the group for a set of related intrusion activity\
        \ that are tracked by a common name in the security community.\nWhile not\
        \ required, you can use a MITRE ATT&CK\xAE group name."
      example: FIN6
      default_field: false
    - name: group.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference URL of the group for a set of related intrusion\
        \ activity that are tracked by a common name in the security community.\n\
        While not required, you can use a MITRE ATT&CK\xAE group reference URL."
      example: https://attack.mitre.org/groups/G0037/
      default_field: false
    - name: indicator.as.number
      level: extended
      type: long
      description: Unique number allocated to the autonomous system. The autonomous
        system number (ASN) uniquely identifies each network on the Internet.
      example: 15169
      default_field: false
    - name: indicator.as.organization.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Organization name.
      example: Google LLC
      default_field: false
    - name: indicator.confidence
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Identifies\_the\_vendor-neutral confidence\_rating\_using\_the\
        \ None/Low/Medium/High\_scale defined in Appendix A of the STIX 2.1 framework.\
        \ Vendor-specific confidence scales may be added as custom fields.\nExpected\
        \ values are:\n  * Not Specified\n  * None\n  * Low\n  * Medium\n  * High"
      example: Medium
      default_field: false
    - name: indicator.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Describes the type of action conducted by the threat.
      example: IP x.x.x.x was observed delivering the Angler EK.
      default_field: false
    - name: indicator.email.address
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifies a threat indicator as an email address (irrespective
        of direction).
      example: phish@example.com
      default_field: false
    - name: indicator.file.accessed
      level: extended
      type: date
      description: 'Last time the file was accessed.

        Note that not all filesystems keep track of access time.'
      default_field: false
    - name: indicator.file.attributes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Array of file attributes.

        Attributes names will vary by platform. Here''s a non-exhaustive list of values
        that are expected in this field: archive, compressed, directory, encrypted,
        execute, hidden, read, readonly, system, write.'
      example: '["readonly", "system"]'
      default_field: false
    - name: indicator.file.code_signature.digest_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The hashing algorithm used to sign the process.

        This value can distinguish signatures when a file is signed multiple times
        by the same signer but with a different digest algorithm.'
      example: sha256
      default_field: false
    - name: indicator.file.code_signature.exists
      level: core
      type: boolean
      description: Boolean to capture if a signature is present.
      example: 'true'
      default_field: false
    - name: indicator.file.code_signature.signing_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The identifier used to sign the process.

        This is used to identify the application manufactured by a software vendor.
        The field is relevant to Apple *OS only.'
      example: com.apple.xpc.proxy
      default_field: false
    - name: indicator.file.code_signature.status
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Additional information about the certificate status.

        This is useful for logging cryptographic errors with the certificate validity
        or trust status. Leave unpopulated if the validity or trust of the certificate
        was unchecked.'
      example: ERROR_UNTRUSTED_ROOT
      default_field: false
    - name: indicator.file.code_signature.subject_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Subject name of the code signer
      example: Microsoft Corporation
      default_field: false
    - name: indicator.file.code_signature.team_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The team identifier used to sign the process.

        This is used to identify the team or vendor of a software product. The field
        is relevant to Apple *OS only.'
      example: EQHXZ8M8AV
      default_field: false
    - name: indicator.file.code_signature.timestamp
      level: extended
      type: date
      description: Date and time when the code signature was generated and signed.
      example: '2021-01-01T12:10:30Z'
      default_field: false
    - name: indicator.file.code_signature.trusted
      level: extended
      type: boolean
      description: 'Stores the trust status of the certificate chain.

        Validating the trust of the certificate chain may be complicated, and this
        field should only be populated by tools that actively check the status.'
      example: 'true'
      default_field: false
    - name: indicator.file.code_signature.valid
      level: extended
      type: boolean
      description: 'Boolean to capture if the digital signature is verified against
        the binary content.

        Leave unpopulated if a certificate was unchecked.'
      example: 'true'
      default_field: false
    - name: indicator.file.created
      level: extended
      type: date
      description: 'File creation time.

        Note that not all filesystems store the creation time.'
      default_field: false
    - name: indicator.file.ctime
      level: extended
      type: date
      description: 'Last time the file attributes or metadata changed.

        Note that changes to the file content will update `mtime`. This implies `ctime`
        will be adjusted at the same time, since `mtime` is an attribute of the file.'
      default_field: false
    - name: indicator.file.device
      level: extended
      type: keyword
      ignore_above: 1024
      description: Device that is the source of the file.
      example: sda
      default_field: false
    - name: indicator.file.directory
      level: extended
      type: keyword
      ignore_above: 1024
      description: Directory where the file is located. It should include the drive
        letter, when appropriate.
      example: /home/alice
      default_field: false
    - name: indicator.file.drive_letter
      level: extended
      type: keyword
      ignore_above: 1
      description: 'Drive letter where the file is located. This field is only relevant
        on Windows.

        The value should be uppercase, and not include the colon.'
      example: C
      default_field: false
    - name: indicator.file.elf.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: Machine architecture of the ELF file.
      example: x86-64
      default_field: false
    - name: indicator.file.elf.byte_order
      level: extended
      type: keyword
      ignore_above: 1024
      description: Byte sequence of ELF file.
      example: Little Endian
      default_field: false
    - name: indicator.file.elf.cpu_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU type of the ELF file.
      example: Intel
      default_field: false
    - name: indicator.file.elf.creation_date
      level: extended
      type: date
      description: Extracted when possible from the file's metadata. Indicates when
        it was built or compiled. It can also be faked by malware creators.
      default_field: false
    - name: indicator.file.elf.exports
      level: extended
      type: flattened
      description: List of exported element names and types.
      default_field: false
    - name: indicator.file.elf.header.abi_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF Application Binary Interface (ABI).
      default_field: false
    - name: indicator.file.elf.header.class
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header class of the ELF file.
      default_field: false
    - name: indicator.file.elf.header.data
      level: extended
      type: keyword
      ignore_above: 1024
      description: Data table of the ELF header.
      default_field: false
    - name: indicator.file.elf.header.entrypoint
      level: extended
      type: long
      format: string
      description: Header entrypoint of the ELF file.
      default_field: false
    - name: indicator.file.elf.header.object_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: '"0x1" for original ELF files.'
      default_field: false
    - name: indicator.file.elf.header.os_abi
      level: extended
      type: keyword
      ignore_above: 1024
      description: Application Binary Interface (ABI) of the Linux OS.
      default_field: false
    - name: indicator.file.elf.header.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: Header type of the ELF file.
      default_field: false
    - name: indicator.file.elf.header.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the ELF header.
      default_field: false
    - name: indicator.file.elf.imports
      level: extended
      type: flattened
      description: List of imported element names and types.
      default_field: false
    - name: indicator.file.elf.sections
      level: extended
      type: nested
      description: 'An array containing an object for each section of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.sections.*`.'
      default_field: false
    - name: indicator.file.elf.sections.chi2
      level: extended
      type: long
      format: number
      description: Chi-square probability distribution of the section.
      default_field: false
    - name: indicator.file.elf.sections.entropy
      level: extended
      type: long
      format: number
      description: Shannon entropy calculation from the section.
      default_field: false
    - name: indicator.file.elf.sections.flags
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List flags.
      default_field: false
    - name: indicator.file.elf.sections.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List name.
      default_field: false
    - name: indicator.file.elf.sections.physical_offset
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List offset.
      default_field: false
    - name: indicator.file.elf.sections.physical_size
      level: extended
      type: long
      format: bytes
      description: ELF Section List physical size.
      default_field: false
    - name: indicator.file.elf.sections.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF Section List type.
      default_field: false
    - name: indicator.file.elf.sections.virtual_address
      level: extended
      type: long
      format: string
      description: ELF Section List virtual address.
      default_field: false
    - name: indicator.file.elf.sections.virtual_size
      level: extended
      type: long
      format: string
      description: ELF Section List virtual size.
      default_field: false
    - name: indicator.file.elf.segments
      level: extended
      type: nested
      description: 'An array containing an object for each segment of the ELF file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `elf.segments.*`.'
      default_field: false
    - name: indicator.file.elf.segments.sections
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment sections.
      default_field: false
    - name: indicator.file.elf.segments.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: ELF object segment type.
      default_field: false
    - name: indicator.file.elf.shared_libraries
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of shared libraries used by this ELF object.
      default_field: false
    - name: indicator.file.elf.telfhash
      level: extended
      type: keyword
      ignore_above: 1024
      description: telfhash symbol hash for ELF file.
      default_field: false
    - name: indicator.file.extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'File extension, excluding the leading dot.

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
      default_field: false
    - name: indicator.file.fork_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A fork is additional data associated with a filesystem object.

        On Linux, a resource fork is used to store additional data with a filesystem
        object. A file always has at least one fork for the data portion, and additional
        forks may exist.

        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
        data stream for a file is just called $DATA. Zone.Identifier is commonly used
        by Windows to track contents downloaded from the Internet. An ADS is typically
        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
        is the value that should populate `fork_name`. `filename.extension` should
        populate `file.name`, and `extension` should populate `file.extension`. The
        full path, `file.path`, will include the fork name.'
      example: Zone.Identifer
      default_field: false
    - name: indicator.file.gid
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group ID (GID) of the file.
      example: '1001'
      default_field: false
    - name: indicator.file.group
      level: extended
      type: keyword
      ignore_above: 1024
      description: Primary group name of the file.
      example: alice
      default_field: false
    - name: indicator.file.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: MD5 hash.
      default_field: false
    - name: indicator.file.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA1 hash.
      default_field: false
    - name: indicator.file.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA256 hash.
      default_field: false
    - name: indicator.file.hash.sha512
      level: extended
      type: keyword
      ignore_above: 1024
      description: SHA512 hash.
      default_field: false
    - name: indicator.file.hash.ssdeep
      level: extended
      type: keyword
      ignore_above: 1024
      description: SSDEEP hash.
      default_field: false
    - name: indicator.file.inode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Inode representing the file in the filesystem.
      example: '256383'
      default_field: false
    - name: indicator.file.mime_type
      level: extended
      type: keyword
      ignore_above: 1024
      description: MIME type should identify the format of the file or stream of bytes
        using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
        official types], where possible. When more than one type is applicable, the
        most specific type should be used.
      default_field: false
    - name: indicator.file.mode
      level: extended
      type: keyword
      ignore_above: 1024
      description: Mode of the file in octal representation.
      example: '0640'
      default_field: false
    - name: indicator.file.mtime
      level: extended
      type: date
      description: Last time the file content was modified.
      default_field: false
    - name: indicator.file.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the file including the extension, without the directory.
      example: example.png
      default_field: false
    - name: indicator.file.owner
      level: extended
      type: keyword
      ignore_above: 1024
      description: File owner's username.
      example: alice
      default_field: false
    - name: indicator.file.path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Full path to the file, including the file name. It should include
        the drive letter, when appropriate.
      example: /home/alice/example.png
      default_field: false
    - name: indicator.file.pe.architecture
      level: extended
      type: keyword
      ignore_above: 1024
      description: CPU architecture target for the file.
      example: x64
      default_field: false
    - name: indicator.file.pe.company
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal company name of the file, provided at compile-time.
      example: Microsoft Corporation
      default_field: false
    - name: indicator.file.pe.description
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal description of the file, provided at compile-time.
      example: Paint
      default_field: false
    - name: indicator.file.pe.file_version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal version of the file, provided at compile-time.
      example: 6.3.9600.17415
      default_field: false
    - name: indicator.file.pe.imphash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'A hash of the imports in a PE file. An imphash -- or import hash
        -- can be used to fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
      example: 0c6803c4e922103c4dca5963aad36ddf
      default_field: false
    - name: indicator.file.pe.original_file_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal name of the file, provided at compile-time.
      example: MSPAINT.EXE
      default_field: false
    - name: indicator.file.pe.product
      level: extended
      type: keyword
      ignore_above: 1024
      description: Internal product name of the file, provided at compile-time.
      example: "Microsoft\xAE Windows\xAE Operating System"
      default_field: false
    - name: indicator.file.size
      level: extended
      type: long
      description: 'File size in bytes.

        Only relevant when `file.type` is "file".'
      example: 16384
      default_field: false
    - name: indicator.file.target_path
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Target path for symlinks.
      default_field: false
    - name: indicator.file.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: File type (file, dir, or symlink).
      example: file
      default_field: false
    - name: indicator.file.uid
      level: extended
      type: keyword
      ignore_above: 1024
      description: The user ID (UID) or security identifier (SID) of the file owner.
      example: '1001'
      default_field: false
    - name: indicator.file.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: indicator.file.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: indicator.file.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: indicator.file.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: indicator.file.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: indicator.file.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: indicator.file.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: indicator.file.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: indicator.file.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: indicator.file.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: indicator.file.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: indicator.file.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: indicator.file.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: indicator.file.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: indicator.file.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: indicator.file.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: indicator.file.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: indicator.file.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: indicator.file.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: indicator.file.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: indicator.file.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: indicator.file.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: indicator.file.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: indicator.file.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: indicator.first_seen
      level: extended
      type: date
      description: The date and time when intelligence source first reported sighting
        this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: indicator.geo.city_name
      level: core
      type: keyword
      ignore_above: 1024
      description: City name.
      example: Montreal
      default_field: false
    - name: indicator.geo.continent_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Two-letter code representing continent's name.
      example: NA
      default_field: false
    - name: indicator.geo.continent_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the continent.
      example: North America
      default_field: false
    - name: indicator.geo.country_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Country ISO code.
      example: CA
      default_field: false
    - name: indicator.geo.country_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Country name.
      example: Canada
      default_field: false
    - name: indicator.geo.location
      level: core
      type: geo_point
      description: Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'
      default_field: false
    - name: indicator.geo.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'User-defined description of a location, at the level of granularity
        they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.'
      example: boston-dc
      default_field: false
    - name: indicator.geo.postal_code
      level: core
      type: keyword
      ignore_above: 1024
      description: 'Postal code associated with the location.

        Values appropriate for this field may also be known as a postcode or ZIP code
        and will vary widely from country to country.'
      example: 94040
      default_field: false
    - name: indicator.geo.region_iso_code
      level: core
      type: keyword
      ignore_above: 1024
      description: Region ISO code.
      example: CA-QC
      default_field: false
    - name: indicator.geo.region_name
      level: core
      type: keyword
      ignore_above: 1024
      description: Region name.
      example: Quebec
      default_field: false
    - name: indicator.geo.timezone
      level: core
      type: keyword
      ignore_above: 1024
      description: The time zone of the location, such as IANA time zone name.
      example: America/Argentina/Buenos_Aires
      default_field: false
    - name: indicator.ip
      level: extended
      type: ip
      description: Identifies a threat indicator as an IP address (irrespective of
        direction).
      example: 1.2.3.4
      default_field: false
    - name: indicator.last_seen
      level: extended
      type: date
      description: The date and time when intelligence source last reported sighting
        this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: indicator.marking.tlp
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\
        \  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
      example: WHITE
      default_field: false
    - name: indicator.modified_at
      level: extended
      type: date
      description: The date and time when intelligence source last modified information
        for this indicator.
      example: '2020-11-05T17:25:47.000Z'
      default_field: false
    - name: indicator.port
      level: extended
      type: long
      description: Identifies a threat indicator as a port number (irrespective of
        direction).
      example: 443
      default_field: false
    - name: indicator.provider
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the indicator's provider.
      example: lrz_urlhaus
      default_field: false
    - name: indicator.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: Reference URL linking to additional information about this indicator.
      example: https://system.example.com/indicator/0001234
      default_field: false
    - name: indicator.registry.data.bytes
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Original bytes written with base64 encoding.

        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
        corresponds to the data pointed by `lp_data`. This is optional but provides
        better recoverability and should be populated for REG_BINARY encoded values.'
      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
      default_field: false
    - name: indicator.registry.data.strings
      level: core
      type: wildcard
      description: 'Content when writing string types.

        Populated as an array when writing string data to the registry. For single
        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
        one string. For sequences of string with REG_MULTI_SZ, this array will be
        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
        be populated with the decimal representation (e.g `"1"`).'
      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
      default_field: false
    - name: indicator.registry.data.type
      level: core
      type: keyword
      ignore_above: 1024
      description: Standard registry type for encoding contents
      example: REG_SZ
      default_field: false
    - name: indicator.registry.hive
      level: core
      type: keyword
      ignore_above: 1024
      description: Abbreviated name for the hive.
      example: HKLM
      default_field: false
    - name: indicator.registry.key
      level: core
      type: keyword
      ignore_above: 1024
      description: Hive-relative path of keys.
      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
      default_field: false
    - name: indicator.registry.path
      level: core
      type: keyword
      ignore_above: 1024
      description: Full path, including hive, key and value
      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
        Options\winword.exe\Debugger
      default_field: false
    - name: indicator.registry.value
      level: core
      type: keyword
      ignore_above: 1024
      description: Name of the value written.
      example: Debugger
      default_field: false
    - name: indicator.scanner_stats
      level: extended
      type: long
      description: Count of AV/EDR vendors that successfully detected malicious file
        or URL.
      example: 4
      default_field: false
    - name: indicator.sightings
      level: extended
      type: long
      description: Number of times this indicator was observed conducting threat activity.
      example: 20
      default_field: false
    - name: indicator.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\
        Recommended values:\n  * autonomous-system\n  * artifact\n  * directory\n\
        \  * domain-name\n  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n\
        \  * mac-addr\n  * mutex\n  * port\n  * process\n  * software\n  * url\n \
        \ * user-account\n  * windows-registry-key\n  * x509-certificate"
      example: ipv4-addr
      default_field: false
    - name: indicator.url.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Domain of the url, such as "www.elastic.co".

        In some cases a URL may refer to an IP and/or port directly, without a domain
        name. In this case, the IP address would go to the `domain` field.

        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
        2732), the `[` and `]` characters should also be captured in the `domain`
        field.'
      example: www.elastic.co
      default_field: false
    - name: indicator.url.extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The field contains the file extension from the original request
        url, excluding the leading dot.

        The file extension is only set if it exists, as not every url has a file extension.

        The leading period must not be included. For example, the value must be "png",
        not ".png".

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
      default_field: false
    - name: indicator.url.fragment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Portion of the url after the `#`, such as "top".

        The `#` is not part of the fragment.'
      default_field: false
    - name: indicator.url.full
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: If full URLs are important to your use case, they should be stored
        in `url.full`, whether this field is reconstructed or present in the event
        source.
      example: https://www.elastic.co:443/search?q=elasticsearch#top
      default_field: false
    - name: indicator.url.original
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
      description: 'Unmodified original url as seen in the event source.

        Note that in network monitoring, the observed URL may be a full URL, whereas
        in access logs, the URL is often just represented as a path.

        This field is meant to represent the URL as it was observed, complete or not.'
      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
      default_field: false
    - name: indicator.url.password
      level: extended
      type: keyword
      ignore_above: 1024
      description: Password of the request.
      default_field: false
    - name: indicator.url.path
      level: extended
      type: wildcard
      description: Path of the request, such as "/search".
      default_field: false
    - name: indicator.url.port
      level: extended
      type: long
      format: string
      description: Port of the request, such as 443.
      example: 443
      default_field: false
    - name: indicator.url.query
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The query field describes the query string of the request, such
        as "q=elasticsearch".

        The `?` is excluded from the query string. If a URL contains no `?`, there
        is no query field. If there is a `?` but no query, the query field exists
        with an empty string. The `exists` query can be used to differentiate between
        the two cases.'
      default_field: false
    - name: indicator.url.registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered url domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
      default_field: false
    - name: indicator.url.scheme
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Scheme of the request, such as "https".

        Note: The `:` is not part of the scheme.'
      example: https
      default_field: false
    - name: indicator.url.subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: indicator.url.top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
      default_field: false
    - name: indicator.url.username
      level: extended
      type: keyword
      ignore_above: 1024
      description: Username of the request.
      default_field: false
    - name: indicator.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: indicator.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: indicator.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: indicator.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: indicator.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: indicator.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: indicator.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: indicator.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: indicator.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: indicator.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: indicator.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: indicator.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: indicator.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: indicator.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: indicator.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: indicator.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: indicator.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: indicator.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: indicator.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: indicator.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: indicator.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: indicator.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: indicator.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: indicator.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: software.alias
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The alias(es) of the software for a set of related intrusion activity\
        \ that are tracked by a common name in the security community.\nWhile not\
        \ required, you can use a MITRE ATT&CK\xAE associated software description."
      example: '[ "X-Agent" ]'
      default_field: false
    - name: software.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The id of the software used by this threat to conduct behavior\
        \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\
        \ a MITRE ATT&CK\xAE software id."
      example: S0552
      default_field: false
    - name: software.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The name of the software used by this threat to conduct behavior\
        \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\
        \ a MITRE ATT&CK\xAE software name."
      example: AdFind
      default_field: false
    - name: software.platforms
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The platforms of the software used by this threat to conduct behavior\
        \ commonly modeled using MITRE ATT&CK\xAE.\nRecommended Values:\n  * AWS\n\
        \  * Azure\n  * Azure AD\n  * GCP\n  * Linux\n  * macOS\n  * Network\n  *\
        \ Office 365\n  * SaaS\n  * Windows\n\nWhile not required, you can use a MITRE\
        \ ATT&CK\xAE software platforms."
      example: '[ "Windows" ]'
      default_field: false
    - name: software.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference URL of the software used by this threat to conduct\
        \ behavior commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you\
        \ can use a MITRE ATT&CK\xAE software reference URL."
      example: https://attack.mitre.org/software/S0552/
      default_field: false
    - name: software.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The type of software used by this threat to conduct behavior commonly\
        \ modeled using MITRE ATT&CK\xAE.\nRecommended values\n  * Malware\n  * Tool\n\
        \n While not required, you can use a MITRE ATT&CK\xAE software type."
      example: Tool
      default_field: false
    - name: tactic.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
      example: TA0002
    - name: tactic.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: "Name of the type of tactic used by this threat. You can use a\
        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
      example: Execution
    - name: tactic.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference url of tactic used by this threat. You can use a\
        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
        \ )"
      example: https://attack.mitre.org/tactics/TA0002/
    - name: technique.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
      example: T1059
    - name: technique.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: "The name of technique used by this threat. You can use a MITRE\
        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
      example: Command and Scripting Interpreter
    - name: technique.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference url of technique used by this threat. You can use\
        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
      example: https://attack.mitre.org/techniques/T1059/
    - name: technique.subtechnique.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The full id of subtechnique used by this threat. You can use a\
        \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
      example: T1059.001
      default_field: false
    - name: technique.subtechnique.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: "The name of subtechnique used by this threat. You can use a MITRE\
        \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
      example: PowerShell
      default_field: false
    - name: technique.subtechnique.reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: "The reference url of subtechnique used by this threat. You can\
        \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
      example: https://attack.mitre.org/techniques/T1059/001/
      default_field: false
  - name: tls
    title: TLS
    group: 2
    description: Fields related to a TLS connection. These fields focus on the TLS
      protocol itself and intentionally avoids in-depth analysis of the related x.509
      certificate files.
    type: group
    default_field: true
    fields:
    - name: cipher
      level: extended
      type: keyword
      ignore_above: 1024
      description: String indicating the cipher used during the current connection.
      example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
      default_field: false
    - name: client.certificate
      level: extended
      type: keyword
      ignore_above: 1024
      description: PEM-encoded stand-alone certificate offered by the client. This
        is usually mutually-exclusive of `client.certificate_chain` since this value
        also exists in that list.
      example: MII...
      default_field: false
    - name: client.certificate_chain
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of PEM-encoded certificates that make up the certificate
        chain offered by the client. This is usually mutually-exclusive of `client.certificate`
        since that value should be the first certificate in the chain.
      example: '["MII...", "MII..."]'
      default_field: false
    - name: client.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the MD5 digest of DER-encoded version
        of certificate offered by the client. For consistency with other hash values,
        this value should be formatted as an uppercase hash.
      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
      default_field: false
    - name: client.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
        of certificate offered by the client. For consistency with other hash values,
        this value should be formatted as an uppercase hash.
      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
      default_field: false
    - name: client.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the SHA256 digest of DER-encoded
        version of certificate offered by the client. For consistency with other hash
        values, this value should be formatted as an uppercase hash.
      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
      default_field: false
    - name: client.issuer
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name of subject of the issuer of the x.509 certificate
        presented by the client.
      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
      default_field: false
    - name: client.ja3
      level: extended
      type: keyword
      ignore_above: 1024
      description: A hash that identifies clients based on how they perform an SSL/TLS
        handshake.
      example: d4e5b18d6b55c71272893221c96ba240
      default_field: false
    - name: client.not_after
      level: extended
      type: date
      description: Date/Time indicating when client certificate is no longer considered
        valid.
      example: '2021-01-01T00:00:00.000Z'
      default_field: false
    - name: client.not_before
      level: extended
      type: date
      description: Date/Time indicating when client certificate is first considered
        valid.
      example: '1970-01-01T00:00:00.000Z'
      default_field: false
    - name: client.server_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Also called an SNI, this tells the server which hostname to which
        the client is attempting to connect to. When this value is available, it should
        get copied to `destination.domain`.
      example: www.elastic.co
      default_field: false
    - name: client.subject
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name of subject of the x.509 certificate presented
        by the client.
      example: CN=myclient, OU=Documentation Team, DC=example, DC=com
      default_field: false
    - name: client.supported_ciphers
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of ciphers offered by the client during the client hello.
      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "..."]'
      default_field: false
    - name: client.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: client.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: client.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: client.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: client.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: client.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: client.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: client.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: client.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: client.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: client.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: client.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: client.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: client.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: client.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: client.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: client.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: client.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: client.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: client.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: client.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: client.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: client.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: client.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: String indicating the curve used for the given cipher, when applicable.
      example: secp256r1
      default_field: false
    - name: established
      level: extended
      type: boolean
      description: Boolean flag indicating if the TLS negotiation was successful and
        transitioned to an encrypted tunnel.
      default_field: false
    - name: next_protocol
      level: extended
      type: keyword
      ignore_above: 1024
      description: String indicating the protocol being tunneled. Per the values in
        the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
        this string should be lower case.
      example: http/1.1
      default_field: false
    - name: resumed
      level: extended
      type: boolean
      description: Boolean flag indicating if this TLS connection was resumed from
        an existing TLS negotiation.
      default_field: false
    - name: server.certificate
      level: extended
      type: keyword
      ignore_above: 1024
      description: PEM-encoded stand-alone certificate offered by the server. This
        is usually mutually-exclusive of `server.certificate_chain` since this value
        also exists in that list.
      example: MII...
      default_field: false
    - name: server.certificate_chain
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of PEM-encoded certificates that make up the certificate
        chain offered by the server. This is usually mutually-exclusive of `server.certificate`
        since that value should be the first certificate in the chain.
      example: '["MII...", "MII..."]'
      default_field: false
    - name: server.hash.md5
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the MD5 digest of DER-encoded version
        of certificate offered by the server. For consistency with other hash values,
        this value should be formatted as an uppercase hash.
      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
      default_field: false
    - name: server.hash.sha1
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
        of certificate offered by the server. For consistency with other hash values,
        this value should be formatted as an uppercase hash.
      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
      default_field: false
    - name: server.hash.sha256
      level: extended
      type: keyword
      ignore_above: 1024
      description: Certificate fingerprint using the SHA256 digest of DER-encoded
        version of certificate offered by the server. For consistency with other hash
        values, this value should be formatted as an uppercase hash.
      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
      default_field: false
    - name: server.issuer
      level: extended
      type: keyword
      ignore_above: 1024
      description: Subject of the issuer of the x.509 certificate presented by the
        server.
      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
      default_field: false
    - name: server.ja3s
      level: extended
      type: keyword
      ignore_above: 1024
      description: A hash that identifies servers based on how they perform an SSL/TLS
        handshake.
      example: 394441ab65754e2207b1e1b457b3641d
      default_field: false
    - name: server.not_after
      level: extended
      type: date
      description: Timestamp indicating when server certificate is no longer considered
        valid.
      example: '2021-01-01T00:00:00.000Z'
      default_field: false
    - name: server.not_before
      level: extended
      type: date
      description: Timestamp indicating when server certificate is first considered
        valid.
      example: '1970-01-01T00:00:00.000Z'
      default_field: false
    - name: server.subject
      level: extended
      type: keyword
      ignore_above: 1024
      description: Subject of the x.509 certificate presented by the server.
      example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
      default_field: false
    - name: server.x509.alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: server.x509.issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: server.x509.issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: server.x509.issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: server.x509.issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: server.x509.issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: server.x509.issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: server.x509.issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: server.x509.not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: server.x509.not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: server.x509.public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: server.x509.public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: server.x509.public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: server.x509.public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: server.x509.serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: server.x509.signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: server.x509.subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: server.x509.subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: server.x509.subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: server.x509.subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: server.x509.subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: server.x509.subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: server.x509.subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: server.x509.version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Numeric part of the version parsed from the original string.
      example: '1.2'
      default_field: false
    - name: version_protocol
      level: extended
      type: keyword
      ignore_above: 1024
      description: Normalized lowercase protocol name parsed from original string.
      example: tls
      default_field: false
  - name: span.id
    level: extended
    type: keyword
    ignore_above: 1024
    description: 'Unique identifier of the span within the scope of its trace.

      A span represents an operation within a transaction, such as a request to another
      service, or a database query.'
    example: 3ff9a8981b7ccd5a
  - name: trace.id
    level: extended
    type: keyword
    ignore_above: 1024
    description: 'Unique identifier of the trace.

      A trace groups multiple events like transactions that belong together. For example,
      a user request handled by multiple inter-connected services.'
    example: 4bf92f3577b34da6a3ce929d0e0e4736
    default_field: true
  - name: transaction.id
    level: extended
    type: keyword
    ignore_above: 1024
    description: 'Unique identifier of the transaction within the scope of its trace.

      A transaction is the highest level of work measured within a service, such as
      a request to a server.'
    example: 00f067aa0ba902b7
    default_field: true
  - name: url
    title: URL
    group: 2
    description: URL fields provide support for complete or partial URLs, and supports
      the breaking down into scheme, domain, path, and so on.
    type: group
    default_field: true
    fields:
    - name: domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Domain of the url, such as "www.elastic.co".

        In some cases a URL may refer to an IP and/or port directly, without a domain
        name. In this case, the IP address would go to the `domain` field.

        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
        2732), the `[` and `]` characters should also be captured in the `domain`
        field.'
      example: www.elastic.co
    - name: extension
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The field contains the file extension from the original request
        url, excluding the leading dot.

        The file extension is only set if it exists, as not every url has a file extension.

        The leading period must not be included. For example, the value must be "png",
        not ".png".

        Note that when the file name has multiple extensions (example.tar.gz), only
        the last one should be captured ("gz", not "tar.gz").'
      example: png
    - name: fragment
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Portion of the url after the `#`, such as "top".

        The `#` is not part of the fragment.'
    - name: full
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: If full URLs are important to your use case, they should be stored
        in `url.full`, whether this field is reconstructed or present in the event
        source.
      example: https://www.elastic.co:443/search?q=elasticsearch#top
    - name: original
      level: extended
      type: wildcard
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: 'Unmodified original url as seen in the event source.

        Note that in network monitoring, the observed URL may be a full URL, whereas
        in access logs, the URL is often just represented as a path.

        This field is meant to represent the URL as it was observed, complete or not.'
      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
    - name: password
      level: extended
      type: keyword
      ignore_above: 1024
      description: Password of the request.
    - name: path
      level: extended
      type: wildcard
      description: Path of the request, such as "/search".
    - name: port
      level: extended
      type: long
      format: string
      description: Port of the request, such as 443.
      example: 443
    - name: query
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The query field describes the query string of the request, such
        as "q=elasticsearch".

        The `?` is excluded from the query string. If a URL contains no `?`, there
        is no query field. If there is a `?` but no query, the query field exists
        with an empty string. The `exists` query can be used to differentiate between
        the two cases.'
    - name: registered_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The highest registered url domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last two labels will not work well for TLDs such as "co.uk".'
      example: example.com
    - name: scheme
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Scheme of the request, such as "https".

        Note: The `:` is not part of the scheme.'
      example: https
    - name: subdomain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The subdomain portion of a fully qualified domain name includes
        all of the names except the host name under the registered_domain.  In a partially
        qualified domain, or if the the qualification level of the full name cannot
        be determined, subdomain contains all of the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.'
      example: east
      default_field: false
    - name: top_level_domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The effective top level domain (eTLD), also known as the domain
        suffix, is the last part of the domain name. For example, the top level domain
        for example.com is "com".

        This value can be determined precisely with a list like the public suffix
        list (http://publicsuffix.org). Trying to approximate this by simply taking
        the last label will not work well for effective TLDs such as "co.uk".'
      example: co.uk
    - name: username
      level: extended
      type: keyword
      ignore_above: 1024
      description: Username of the request.
  - name: user
    title: User
    group: 2
    description: 'The user fields describe information about the user that is relevant
      to the event.

      Fields can have one entry or multiple entries. If a user has more than one id,
      provide an array that includes all of them.'
    type: group
    default_field: true
    fields:
    - name: changes.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: changes.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
      default_field: false
    - name: changes.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: User's full name, if available.
      example: Albert Einstein
      default_field: false
    - name: changes.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: changes.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
      default_field: false
    - name: changes.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
      default_field: false
    - name: changes.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
      default_field: false
    - name: changes.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
      default_field: false
    - name: changes.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Short name or login of the user.
      example: a.einstein
      default_field: false
    - name: changes.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
    - name: domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: effective.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: effective.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
      default_field: false
    - name: effective.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: User's full name, if available.
      example: Albert Einstein
      default_field: false
    - name: effective.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: effective.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
      default_field: false
    - name: effective.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
      default_field: false
    - name: effective.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
      default_field: false
    - name: effective.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
      default_field: false
    - name: effective.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Short name or login of the user.
      example: a.einstein
      default_field: false
    - name: effective.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
    - name: email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
    - name: full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: User's full name, if available.
      example: Albert Einstein
    - name: group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
    - name: group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
    - name: group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
    - name: hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
    - name: id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
    - name: name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Short name or login of the user.
      example: a.einstein
    - name: roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
    - name: target.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the user is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: target.email
      level: extended
      type: keyword
      ignore_above: 1024
      description: User email address.
      default_field: false
    - name: target.full_name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: User's full name, if available.
      example: Albert Einstein
      default_field: false
    - name: target.group.domain
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Name of the directory the group is a member of.

        For example, an LDAP or Active Directory domain name.'
      default_field: false
    - name: target.group.id
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique identifier for the group on the system/platform.
      default_field: false
    - name: target.group.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the group.
      default_field: false
    - name: target.hash
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Unique user hash to correlate information for a user in anonymized
        form.

        Useful if `user.id` or `user.name` contain confidential information and cannot
        be used.'
      default_field: false
    - name: target.id
      level: core
      type: keyword
      ignore_above: 1024
      description: Unique identifier of the user.
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
      default_field: false
    - name: target.name
      level: core
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Short name or login of the user.
      example: a.einstein
      default_field: false
    - name: target.roles
      level: extended
      type: keyword
      ignore_above: 1024
      description: Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'
      default_field: false
  - name: user_agent
    title: User agent
    group: 2
    description: 'The user_agent fields normally come from a browser request.

      They often show up in web service logs coming from the parsed user agent string.'
    type: group
    default_field: true
    fields:
    - name: device.name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the device.
      example: iPhone
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Name of the user agent.
      example: Safari
    - name: original
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: Unparsed user_agent string.
      example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
        (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
    - name: os.family
      level: extended
      type: keyword
      ignore_above: 1024
      description: OS family (such as redhat, debian, freebsd, windows).
      example: debian
    - name: os.full
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, including the version or code name.
      example: Mac OS Mojave
    - name: os.kernel
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system kernel version as a raw string.
      example: 4.4.0-112-generic
    - name: os.name
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
        default_field: false
      description: Operating system name, without the version.
      example: Mac OS X
    - name: os.platform
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system platform (such centos, ubuntu, windows).
      example: darwin
    - name: os.type
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'Use the `os.type` field to categorize the operating system into
        one of the broad commercial families.

        One of these following values should be used (lowercase): linux, macos, unix,
        windows.

        If the OS you''re dealing with is not in the list, the field should not be
        populated. Please let us know by opening an issue with ECS, to propose its
        addition.'
      example: macos
      default_field: false
    - name: os.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Operating system version as a raw string.
      example: 10.14.1
    - name: version
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of the user agent.
      example: 12.0
  - name: vlan
    title: VLAN
    group: 2
    description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet,
      as well as ingress and egress VLAN associations of an observer in relation to
      a specific packet or connection.

      Network.vlan fields are used to record a single VLAN tag, or the outer tag in
      the case of q-in-q encapsulations, for a packet or connection as observed, typically
      provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.

      Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
      802.1q encapsulations) as observed, typically provided by a network sensor  (e.g.
      Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should
      only be used in addition to network.vlan fields to indicate q-in-q tagging.

      Observer.ingress and observer.egress VLAN values are used to record observer
      specific information when observer events contain discrete ingress and egress
      VLAN information, typically provided by firewalls, routers, or load balancers.'
    type: group
    default_field: true
    fields:
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: VLAN ID as reported by the observer.
      example: 10
      default_field: false
    - name: name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Optional VLAN name as reported by the observer.
      example: outside
      default_field: false
  - name: vulnerability
    title: Vulnerability
    group: 2
    description: The vulnerability fields describe information about a vulnerability
      that is relevant to an event.
    type: group
    default_field: true
    fields:
    - name: category
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The type of system or architecture that the vulnerability affects.
        These may be platform-specific (for example, Debian or SUSE) or general (for
        example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys
        vulnerability categories])

        This field must be an array.'
      example: '["Firewall"]'
      default_field: false
    - name: classification
      level: extended
      type: keyword
      ignore_above: 1024
      description: The classification of the vulnerability scoring system. For example
        (https://www.first.org/cvss/)
      example: CVSS
      default_field: false
    - name: description
      level: extended
      type: keyword
      ignore_above: 1024
      multi_fields:
      - name: text
        type: match_only_text
      description: The description of the vulnerability that provides additional context
        of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common
        Vulnerabilities and Exposure CVE description])
      example: In macOS before 2.12.6, there is a vulnerability in the RPC...
      default_field: false
    - name: enumeration
      level: extended
      type: keyword
      ignore_above: 1024
      description: The type of identifier used for this vulnerability. For example
        (https://cve.mitre.org/about/)
      example: CVE
      default_field: false
    - name: id
      level: extended
      type: keyword
      ignore_above: 1024
      description: The identification (ID) is the number portion of a vulnerability
        entry. It includes a unique identification number for the vulnerability. For
        example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
        and Exposure CVE ID]
      example: CVE-2019-00001
      default_field: false
    - name: reference
      level: extended
      type: keyword
      ignore_above: 1024
      description: A resource that provides additional information, context, and mitigations
        for the identified vulnerability.
      example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
      default_field: false
    - name: report_id
      level: extended
      type: keyword
      ignore_above: 1024
      description: The report or scan identification number.
      example: 20191018.0001
      default_field: false
    - name: scanner.vendor
      level: extended
      type: keyword
      ignore_above: 1024
      description: The name of the vulnerability scanner vendor.
      example: Tenable
      default_field: false
    - name: score.base
      level: extended
      type: float
      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.

        Base scores cover an assessment for exploitability metrics (attack vector,
        complexity, privileges, and user interaction), impact metrics (confidentiality,
        integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)'
      example: 5.5
      default_field: false
    - name: score.environmental
      level: extended
      type: float
      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.

        Environmental scores cover an assessment for any modified Base metrics, confidentiality,
        integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)'
      example: 5.5
      default_field: false
    - name: score.temporal
      level: extended
      type: float
      description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.

        Temporal scores cover an assessment for code maturity, remediation level,
        and confidence. For example (https://www.first.org/cvss/specification-document)'
      default_field: false
    - name: score.version
      level: extended
      type: keyword
      ignore_above: 1024
      description: 'The National Vulnerability Database (NVD) provides qualitative
        severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score
        ranges in addition to the severity ratings for CVSS v3.0 as they are defined
        in the CVSS v3.0 specification.

        CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit
        organization, whose mission is to help computer security incident response
        teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)'
      example: 2.0
      default_field: false
    - name: severity
      level: extended
      type: keyword
      ignore_above: 1024
      description: The severity of the vulnerability can help with metrics and internal
        prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
      example: Critical
      default_field: false
  - name: x509
    title: x509 Certificate
    group: 2
    description: 'This implements the common core fields for x509 certificates. This
      information is likely logged with TLS sessions, digital signatures found in
      executable binaries, S/MIME information in email bodies, or analysis of files
      on disk.

      When the certificate relates to a file, use the fields at `file.x509`. When
      hashes of the DER-encoded certificate are available, the `hash` data set should
      be populated as well (e.g. `file.hash.sha256`).

      Events that contain certificate information about network connections, should
      use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
      `tls.client.x509`.'
    type: group
    default_field: true
    fields:
    - name: alternative_names
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of subject alternative names (SAN). Name types vary by certificate
        authority and certificate type but commonly contain IP addresses, DNS names
        (and wildcards), and email addresses.
      example: '*.elastic.co'
      default_field: false
    - name: issuer.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common name (CN) of issuing certificate authority.
      example: Example SHA2 High Assurance Server CA
      default_field: false
    - name: issuer.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) codes
      example: US
      default_field: false
    - name: issuer.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of issuing certificate authority.
      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
        Server CA
      default_field: false
    - name: issuer.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: Mountain View
      default_field: false
    - name: issuer.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of issuing certificate authority.
      example: Example Inc
      default_field: false
    - name: issuer.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of issuing certificate authority.
      example: www.example.com
      default_field: false
    - name: issuer.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: not_after
      level: extended
      type: date
      description: Time at which the certificate is no longer considered valid.
      example: 2020-07-16 03:15:39+00:00
      default_field: false
    - name: not_before
      level: extended
      type: date
      description: Time at which the certificate is first considered valid.
      example: 2019-08-16 01:40:25+00:00
      default_field: false
    - name: public_key_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Algorithm used to generate the public key.
      example: RSA
      default_field: false
    - name: public_key_curve
      level: extended
      type: keyword
      ignore_above: 1024
      description: The curve used by the elliptic curve public key algorithm. This
        is algorithm specific.
      example: nistp521
      default_field: false
    - name: public_key_exponent
      level: extended
      type: long
      description: Exponent used to derive the public key. This is algorithm specific.
      example: 65537
      index: false
      doc_values: false
      default_field: false
    - name: public_key_size
      level: extended
      type: long
      description: The size of the public key space in bits.
      example: 2048
      default_field: false
    - name: serial_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Unique serial number issued by the certificate authority. For consistency,
        if this value is alphanumeric, it should be formatted without colons and uppercase
        characters.
      example: 55FBB9C7DEBF09809D12CCAA
      default_field: false
    - name: signature_algorithm
      level: extended
      type: keyword
      ignore_above: 1024
      description: Identifier for certificate signature algorithm. We recommend using
        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
      example: SHA256-RSA
      default_field: false
    - name: subject.common_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of common names (CN) of subject.
      example: shared.global.example.net
      default_field: false
    - name: subject.country
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of country (C) code
      example: US
      default_field: false
    - name: subject.distinguished_name
      level: extended
      type: keyword
      ignore_above: 1024
      description: Distinguished name (DN) of the certificate subject entity.
      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
      default_field: false
    - name: subject.locality
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of locality names (L)
      example: San Francisco
      default_field: false
    - name: subject.organization
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizations (O) of subject.
      example: Example, Inc.
      default_field: false
    - name: subject.organizational_unit
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of organizational units (OU) of subject.
      default_field: false
    - name: subject.state_or_province
      level: extended
      type: keyword
      ignore_above: 1024
      description: List of state or province names (ST, S, or P)
      example: California
      default_field: false
    - name: version_number
      level: extended
      type: keyword
      ignore_above: 1024
      description: Version of x509 format.
      example: 3
      default_field: false
- key: beat
  anchor: beat-common
  title: Beat
  description: >
    Contains common beat fields available in all event types.
  fields:
    - name: agent.hostname
      type: alias
      path: agent.name
      description: >
        Deprecated - use agent.name or agent.id to identify an agent.

    - name: beat.timezone
      type: alias
      path: event.timezone
      migration: true

    - name: fields
      type: object
      object_type: keyword
      description: >
        Contains user configurable fields.

    - name: beat.name
      type: alias
      path: host.name
      migration: true

    - name: beat.hostname
      type: alias
      path: agent.name
      migration: true

    - name: timeseries.instance
      type: keyword
      description: Time series instance id
- key: cloud
  title: Cloud provider metadata
  description: >
    Metadata from cloud providers added by the add_cloud_metadata processor.
  fields:
    
    - name: cloud.image.id
      default_field: true
      example: ami-abcd1234
      description: >
        Image ID for the cloud instance.

    # Alias for old fields
    - name: meta.cloud.provider
      default_field: true
      type: alias
      path: cloud.provider
      migration: true

    - name: meta.cloud.instance_id
      default_field: true
      type: alias
      path: cloud.instance.id
      migration: true

    - name: meta.cloud.instance_name
      default_field: true
      type: alias
      path: cloud.instance.name
      migration: true

    - name: meta.cloud.machine_type
      default_field: true
      type: alias
      path: cloud.machine.type
      migration: true

    - name: meta.cloud.availability_zone
      default_field: true
      type: alias
      path: cloud.availability_zone
      migration: true

    - name: meta.cloud.project_id
      default_field: true
      type: alias
      path: cloud.project.id
      migration: true

    - name: meta.cloud.region
      default_field: true
      type: alias
      path: cloud.region
      migration: true

    
- key: docker
  title: Docker
  description: >
    Docker stats collected from Docker.
  short_config: false
  anchor: docker-processor
  fields:
    - name: docker
      default_field: true
      type: group
      fields:
        - name: container.id
          type: alias
          path: container.id
          migration: true

        - name: container.image
          type: alias
          path: container.image.name
          migration: true

        - name: container.name
          type: alias
          path: container.name
          migration: true

        - name: container.labels  # TODO: How to map these?
          type: object
          object_type: keyword
          description: >
            Image labels.
- key: host
  default_field: true
  title: Host
  description: >
    Info collected for the host machine.
  anchor: host-processor
  fields:

    # ECS fields are in fields.ecs.yml.
    # These are the non-ECS fields.
    - name: host
      default_field: true
      type: group
      fields:

        - name: containerized
          type: boolean
          description: >
            If the host is a container.

        - name: os.build
          type: keyword
          example: "18D109"
          description: >
            OS build information.

        - name: os.codename
          type: keyword
          example: "stretch"
          description: >
            OS codename, if any.
- key: kubernetes
  title: Kubernetes
  description: >
    Kubernetes metadata added by the kubernetes processor
  short_config: false
  anchor: kubernetes-processor
  fields:
    - name: kubernetes
      default_field: true
      type: group
      fields:
        - name: pod.name
          type: keyword
          description: >
            Kubernetes pod name

        - name: pod.uid
          type: keyword
          description: >
            Kubernetes Pod UID

        - name: pod.ip
          type: ip
          description: >
            Kubernetes Pod IP

        - name: namespace
          type: keyword
          description: >
            Kubernetes namespace

        - name: node.name
          type: keyword
          description: >
            Kubernetes node name

        - name: node.hostname
          type: keyword
          description: >
            Kubernetes hostname as reported by the node’s kernel

        - name: labels.*
          type: object
          object_type: keyword
          object_type_mapping_type: "*"
          description: >
            Kubernetes labels map

        - name: annotations.*
          type: object
          object_type: keyword
          object_type_mapping_type: "*"
          description: >
            Kubernetes annotations map

        - name: selectors.*
          type: object
          object_type: keyword
          object_type_mapping_type: "*"
          description: >
            Kubernetes selectors map

        - name: replicaset.name
          type: keyword
          description: >
            Kubernetes replicaset name

        - name: deployment.name
          type: keyword
          description: >
            Kubernetes deployment name

        - name: statefulset.name
          type: keyword
          description: >
            Kubernetes statefulset name

        - name: container.name
          type: keyword
          description: >
            Kubernetes container name (different than the name from the runtime)
- key: process
  title: Process
  description: >
    Process metadata fields
  fields:
    - name: process
      default_field: true
      type: group
      fields:
        - name: exe
          type: alias
          path: process.executable
          migration: true
        - name: owner
          type: group
          description: Process owner information.
          fields:
            - name: id
              type: keyword
              ignore_above: 1024
              description: Unique identifier of the user.
            - name: name
              type: keyword
              ignore_above: 1024
              multi_fields:
              - name: text
                type: text
                norms: false
              description: Short name or login of the user.
              example: albert

- key: jolokia-autodiscover
  title: Jolokia Discovery autodiscover provider
  description: >
    Metadata from Jolokia Discovery added by the jolokia provider.
  fields:
    - name: jolokia.agent.version
      default_field: true
      type: keyword
      description: >
        Version number of jolokia agent.
    - name: jolokia.agent.id
      default_field: true
      type: keyword
      description: >
        Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
    - name: jolokia.server.product
      default_field: true
      type: keyword
      description: >
        The container product if detected.
    - name: jolokia.server.version
      default_field: true
      type: keyword
      description: >
        The container's version (if detected).
    - name: jolokia.server.vendor
      default_field: true
      type: keyword
      description: >
        The vendor of the container the agent is running in.
    - name: jolokia.url
      default_field: true
      type: keyword
      description: >
        The URL how this agent can be contacted.
    - name: jolokia.secured
      default_field: true
      type: boolean
      description: >
        Whether the agent was configured for authentication or not.
- key: log
  title: Log file content
  description: >
    Contains log file lines.
  fields:

    - name: log.source.address
      type: keyword
      required: false
      description: >
        Source address from which the log event was read / sent from.

    - name: log.offset
      type: long
      required: false
      description: >
        The file offset the reported line starts at.

    - name: stream
      type: keyword
      required: false
      description: >
        Log stream when reading container logs, can be 'stdout' or 'stderr'

    - name: input.type
      required: true
      description: >
        The input type from which the event was generated. This field is set to the value specified
        for the `type` option in the input section of the Filebeat config file.

    - name: syslog.facility
      type: long
      required: false
      description: >
        The facility extracted from the priority.

    - name: syslog.priority
      type: long
      required: false
      description: >
        The priority of the syslog event.

    - name: syslog.severity_label
      type: keyword
      required: false
      description: >
        The human readable severity.

    - name: syslog.facility_label
      type: keyword
      required: false
      description: >
        The human readable facility.

    - name: process.program
      type: keyword
      required: false
      description: >
        The name of the program.

    - name: log.flags
      description: >
        This field contains the flags of the event.

    - name: http.response.content_length
      type: alias
      path: http.response.body.bytes
      migration: true

    - name: user_agent
      type: group
      fields:
      - name: os
        type: group
        fields:
        - name: full_name
          type: keyword

    - name: fileset.name
      type: keyword
      description: >
        The Filebeat fileset that generated this event.

    - name: fileset.module
      type: alias
      path: event.module
      migration: true

    - name: read_timestamp
      type: alias
      path: event.created
      migration: true

    - name: docker.attrs
      type: object
      object_type: keyword
      description: >
        docker.attrs contains labels and environment variables written by docker's JSON File logging driver.
        These fields are only available when they are configured in the logging driver options.

    - name: icmp.code
      type: keyword
      description: >
        ICMP code.

    - name: icmp.type
      type: keyword
      description: >
        ICMP type.

    - name: igmp.type
      type: keyword
      description: >
        IGMP type.


    - name: azure
      type: group
      fields:
        - name: eventhub
          type: keyword
          description: >
            Name of the eventhub.
        - name: offset
          type: long
          description: >
            The offset.
        - name: enqueued_time
          type: date
          description: >
            The enqueued time.
        - name: partition_id
          type: long
          description: >
            The partition id.
        - name: consumer_group
          type: keyword
          description: >
            The consumer group.
        - name: sequence_number
          type: long
          description: >
            The sequence number.


    - name: kafka
      type: group
      fields:
        - name: topic
          type: keyword
          description: >
            Kafka topic

        - name: partition
          type: long
          description: >
            Kafka partition number

        - name: offset
          type: long
          description: >
            Kafka offset of this message

        - name: key
          type: keyword
          description: >
            Kafka key, corresponding to the Kafka value stored in the message

        - name: block_timestamp
          type: date
          description: >
            Kafka outer (compressed) block timestamp

        - name: headers
          type: array
          description: >
            An array of Kafka header strings for this message, in the form
            "<key>: <value>".
- key: apache
  title: "Apache"
  description: >
    Apache Module
  short_config: true
  fields:
    - name: apache
      type: group
      description: >
        Apache fields.
      fields:
        - name: access
          type: group
          description: >
            Contains fields for the Apache HTTP Server access logs.
          fields:
            - name: ssl.protocol
              type: keyword
              description: >
                SSL protocol version.
        
            - name: ssl.cipher
              type: keyword
              description: >
                SSL cipher name.
        - name: error
          type: group
          description: >
            Fields from the Apache error logs.
          fields:
            - name: module
              type: keyword
              description: >
                The module producing the logged message.
- key: auditd
  title: "Auditd"
  description: >
    Module for parsing auditd logs.
  short_config: true
  fields:

    - name: user
      type: group
      fields:

        - name: terminal
          type: keyword
          description: >
            Terminal or tty device on which the user is performing the observed activity.

        - name: audit
          type: group
          fields:
            - name: id
              type: keyword
              description: >
                One or multiple unique identifiers of the user.
            - name: name
              type: keyword
              example: albert
              description: >
                Short name or login of the user.

            - name: group.id
              type: keyword
              description: >
                Unique identifier for the group on the system/platform.
            - name: group.name
              type: keyword
              description: >
                    Name of the group.


        - name: filesystem
          type: group
          fields:
            - name: id
              type: keyword
              description: >
                One or multiple unique identifiers of the user.
            - name: name
              type: keyword
              example: albert
              description: >
                Short name or login of the user.
            - name: group.id
              type: keyword
              description: >
                Unique identifier for the group on the system/platform.
            - name: group.name
              type: keyword
              description: >
                    Name of the group.

        - name: owner
          type: group
          fields:
            - name: id
              type: keyword
              description: >
                One or multiple unique identifiers of the user.
            - name: name
              type: keyword
              example: albert
              description: >
                Short name or login of the user.
            - name: group.id
              type: keyword
              description: >
                Unique identifier for the group on the system/platform.
            - name: group.name
              type: keyword
              description: >
                    Name of the group.

        - name: saved
          type: group
          fields:
            - name: id
              type: keyword
              description: >
                One or multiple unique identifiers of the user.
            - name: name
              type: keyword
              example: albert
              description: >
                Short name or login of the user.
            - name: group.id
              type: keyword
              description: >
                Unique identifier for the group on the system/platform.
            - name: group.name
              type: keyword
              description: >
                    Name of the group.

    - name: auditd
      type: group
      description: >
        Fields from the auditd logs.
      fields:
        - name: log
          type: group
          description: >
            Fields from the Linux audit log. Not all fields are documented here because
            they are dynamic and vary by audit event type.
          fields:
            - name: old_auid
              description: >
                For login events this is the old audit ID used for the user prior to
                this login.
            - name: new_auid
              description: >
                For login events this is the new audit ID. The audit ID can be used to
                trace future events to the user even if their identity changes (like
                becoming root).
            - name: old_ses
              description: >
                For login events this is the old session ID used for the user prior to
                this login.
            - name: new_ses
              description: >
                For login events this is the new session ID. It can be used to tie a
                user to future events by session ID.
            - name: sequence
              type: long
              description: >
                The audit event sequence number.
            - name: items
              description: >
                The number of items in an event.
            - name: item
              description: >
                The item field indicates which item out of the total number of items.
                This number is zero-based; a value of 0 means it is the first item.
            - name: tty
              type: keyword
              definition: >
                TTY udevice the user is running programs on.
            - name: a0
              description: >
                The first argument to the system call.
            - name: addr
              type: ip
              definition: >
                Remote address that the user is connecting from.
            - name: rport
              type: long
              definition: >
                Remote port number.
            - name: laddr
              type: ip
              definition: >
                Local network address.
            - name: lport
              type: long
              definition: >
                Local port number.
        
            - name: acct
              type: alias
              path: user.name
              migration: true
            - name: pid
              type: alias
              path: process.pid
              migration: true
            - name: ppid
              type: alias
              path: process.parent.pid
              migration: true
            - name: res
              type: alias
              path: event.outcome
              migration: true
            - name: record_type
              type: alias
              path: event.action
              migration: true
            - name: geoip
              type: group
              fields:
                - name: continent_name
                  type: alias
                  path: source.geo.continent_name
                  migration: true
                - name: country_iso_code
                  type: alias
                  path: source.geo.country_iso_code
                  migration: true
                - name: location
                  type: alias
                  path: source.geo.location
                  migration: true
                - name: region_name
                  type: alias
                  path: source.geo.region_name
                  migration: true
                - name: city_name
                  type: alias
                  path: source.geo.city_name
                  migration: true
                - name: region_iso_code
                  type: alias
                  path: source.geo.region_iso_code
                  migration: true
        
            # Fields below were not defined in 6.x but were still being populated.
            - name: arch
              type: alias
              path: host.architecture
              migration: true
            - name: gid
              type: alias
              path: user.group.id
              migration: true
            - name: uid
              type: alias
              path: user.id
              migration: true
            - name: agid
              type: alias
              path: user.audit.group.id
              migration: true
            - name: auid
              type: alias
              path: user.audit.id
              migration: true
            - name: fsgid
              type: alias
              path: user.filesystem.group.id
              migration: true
            - name: fsuid
              type: alias
              path: user.filesystem.id
              migration: true
            - name: egid
              type: alias
              path: user.effective.group.id
              migration: true
            - name: euid
              type: alias
              path: user.effective.id
              migration: true
            - name: sgid
              type: alias
              path: user.saved.group.id
              migration: true
            - name: suid
              type: alias
              path: user.saved.id
              migration: true
            - name: ogid
              type: alias
              path: user.owner.group.id
              migration: true
            - name: ouid
              type: alias
              path: user.owner.id
              migration: true
            - name: comm
              type: alias
              path: process.name
              migration: true
            - name: exe
              type: alias
              path: process.executable
              migration: true
            - name: terminal
              type: alias
              path: user.terminal
              migration: true
            - name: msg
              type: alias
              path: message
              migration: true
            - name: src
              type: alias
              path: source.address
              migration: true
            - name: dst
              type: alias
              path: destination.address
              migration: true
- key: elasticsearch
  title: "Elasticsearch"
  release: ga
  description: >
    elasticsearch Module
  fields:
    - name: elasticsearch
      type: group
      description: >
      fields:
        - name: component
          description: "Elasticsearch component from where the log event originated"
          example: "o.e.c.m.MetaDataCreateIndexService"
          type: keyword
        - name: cluster.uuid
          description: "UUID of the cluster"
          example: "GmvrbHlNTiSVYiPf8kxg9g"
          type: keyword
        - name: cluster.name
          description: "Name of the cluster"
          example: "docker-cluster"
          type: keyword
        - name: node.id
          description: "ID of the node"
          example: "DSiWcTyeThWtUXLB9J0BMw"
          type: keyword
        - name: node.name
          description: "Name of the node"
          example: "vWNJsZ3"
          type: keyword
        - name: index.name
          description: "Index name"
          example: "filebeat-test-input"
          type: keyword
        - name: index.id
          description: "Index id"
          example: "aOGgDwbURfCV57AScqbCgw"
          type: keyword
        - name: shard.id
          description: "Id of the shard"
          example: "0"
          type: keyword
        - name: elastic_product_origin
          type: keyword
          description: "Used by Elastic stack to identify which component of the stack sent the request"
          example: "kibana"
        - name: http.request.x_opaque_id
          description: "Used by Elasticsearch to throttle and deduplicate deprecation warnings"
          example: "v7app"
          type: keyword
        - name: event.category
          description: "Category of the deprecation event"
          example: "compatible_api"
          type: keyword
        - name: audit
          type: group
          fields:
            - name: layer
              description: "The layer from which this event originated: rest, transport or ip_filter"
              example: "rest"
              type: keyword
            - name: event_type
              description: "The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied"
              example: "access_granted"
              type: keyword
            - name: origin.type
              description: "Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)"
              example: "local_node"
              type: keyword
            - name: realm
              description: "The authentication realm the authentication was validated against"
              example": "default_file"
              type: keyword
            - name: user.realm
              description: "The user's authentication realm, if authenticated"
              example": "active_directory"
              type: keyword
            - name: user.roles
              description: "Roles to which the principal belongs"
              example: [ "kibana_admin", "beats_admin" ]
              type: keyword
            - name: user.run_as.name
              type: keyword
            - name: user.run_as.realm
              type: keyword
            - name: component
              type: keyword
            - name: action
              description: "The name of the action that was executed"
              example: "cluster:monitor/main"
              type: keyword
            - name: url.params
              description: "REST URI parameters"
              example: "{username=jacknich2}"
            - name: indices
              description: "Indices accessed by action"
              example: [ "foo-2019.01.04", "foo-2019.01.03", "foo-2019.01.06" ]
              type: keyword
            - name: request.id
              description: "Unique ID of request"
              example: "WzL_kb6VSvOhAq0twPvHOQ"
              type: keyword
            - name: request.name
              description: "The type of request that was executed"
              example: "ClearScrollRequest"
              type: keyword
            - name: request_body
              type: alias
              path: http.request.body.content
              migration: true
            - name: origin_address
              type: alias
              path: source.ip
              migration: true
            - name: uri
              type: alias
              path: url.original
              migration: true
            - name: principal
              type: alias
              path: user.name
              migration: true
            - name: message
              type: text
            - name: invalidate.apikeys.owned_by_authenticated_user
              type: boolean
            - name: authentication.type
              type: keyword
            - name: opaque_id
              type: text
        - name: deprecation
          type: group
          description: >
          fields:
        - name: gc
          type: group
          description: >
            GC fileset fields.
          fields:
            - name: phase
              type: group
              description: >
                Fields specific to GC phase.
              fields:
                - name: name
                  type: keyword
                  description: >
                    Name of the GC collection phase.
                - name: duration_sec
                  type: float
                  description: >
                    Collection phase duration according to the Java virtual machine.
                - name: scrub_symbol_table_time_sec
                  type: float
                  description: >
                     Pause time in seconds cleaning up symbol tables.
                - name: scrub_string_table_time_sec
                  type: float
                  description: >
                    Pause time in seconds cleaning up string tables.
                - name: weak_refs_processing_time_sec
                  type: float
                  description: >
                    Time spent processing weak references in seconds.
                - name: parallel_rescan_time_sec
                  type: float
                  description: >
                    Time spent in seconds marking live objects while application is stopped.
                - name: class_unload_time_sec
                  type: float
                  description: >
                    Time spent unloading unused classes in seconds.
                - name: cpu_time
                  type: group
                  description: >
                    Process CPU time spent performing collections.
                  fields:
                    - name: user_sec
                      type: float
                      description: >
                        CPU time spent outside the kernel.
                    - name: sys_sec
                      type: float
                      description: >
                        CPU time spent inside the kernel. 
                    - name: real_sec
                      type: float
                      description: >
                        Total elapsed CPU time spent to complete the collection from start to finish.
            - name: jvm_runtime_sec
              type: float
              description: >
                The time from JVM start up in seconds, as a floating point number.
            - name: threads_total_stop_time_sec
              type: float
              description: >
                Garbage collection threads total stop time seconds.
            - name: stopping_threads_time_sec
              type: float
              description: >
                Time took to stop threads seconds.
            - name: tags
              type: keyword
              description: >
                GC logging tags.
            - name: heap
              type: group
              description: >
                Heap allocation and total size.
              fields:
                - name: size_kb
                  type: integer
                  description: >
                    Total heap size in kilobytes.
                - name: used_kb
                  type: integer
                  description: >
                    Used heap in kilobytes.
            - name: old_gen
              type: group
              description: >
                Old generation occupancy and total size.
              fields:
                - name: size_kb
                  type: integer
                  description: >
                    Total size of old generation in kilobytes.
                - name: used_kb
                  type: integer
                  description: >
                    Old generation occupancy in kilobytes.
            - name: young_gen
              type: group
              description: >
                Young generation occupancy and total size.
              fields:
                - name: size_kb
                  type: integer
                  description: >
                    Total size of young generation in kilobytes.
                - name: used_kb
                  type: integer
                  description: >
                    Young generation occupancy in kilobytes.
        - name: server
          description: "Server log file"
          type: group
          fields:
          - name: stacktrace
            description": Stack trace in case of errors
            index: false
          - name: gc
            description: "GC log"
            type: group
            fields:
            - name: young
              description: "Young GC"
              example: ""
              type: group
              fields:
              - name: one
                description: ""
                example: ""
                type: long
              - name: two
                description: ""
                example: ""
                type: long
            - name: overhead_seq
              description: "Sequence number"
              example: 3449992
              type: long
            - name: collection_duration.ms
              description: "Time spent in GC, in milliseconds"
              example: 1600
              type: float
            - name: observation_duration.ms
              description: "Total time over which collection was observed, in milliseconds"
              example: 1800
              type: float
        - name: slowlog
          description: "Slowlog events from Elasticsearch"
          example: "[2018-06-29T10:06:14,933][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[4.5ms], took_millis[4], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"query\":{\"match_all\":{\"boost\":1.0}}}],"
          type: group
          fields:
          - name: logger
            description: "Logger name"
            example: "index.search.slowlog.fetch"
            type: keyword
          - name: took
            description: "Time it took to execute the query"
            example: "300ms"
            type: keyword
          - name: types
            description: "Types"
            example: ""
            type: keyword
          - name: stats
            description: "Stats groups"
            example: "group1"
            type: keyword
          - name: search_type
            description: "Search type"
            example: "QUERY_THEN_FETCH"
            type: keyword
          - name: source_query
            description: "Slow query"
            example: "{\"query\":{\"match_all\":{\"boost\":1.0}}}"
            type: keyword
          - name: extra_source
            description: "Extra source information"
            example: ""
            type: keyword
          - name: total_hits
            description: "Total hits"
            example: 42
            type: keyword
          - name: total_shards
            description: "Total queried shards"
            example: 22
            type: keyword
          - name: routing
            description: "Routing"
            example: "s01HZ2QBk9jw4gtgaFtn"
            type: keyword
          - name: id
            description: Id
            example: ""
            type: keyword
          - name: type
            description: "Type"
            example: "doc"
            type: keyword
          - name: source
            description: Source of document that was indexed
            type: keyword
- key: haproxy
  title: "HAProxy"
  description: >
    haproxy Module
  fields:
    - name: haproxy
      type: group
      description: >
      fields:

        - name: frontend_name
          description: Name of the frontend (or listener) which received and processed the connection.

        - name: backend_name
          description: Name of the backend (or listener) which was selected to manage the connection to the server.

        - name: server_name
          description: Name of the last server to which the connection was sent.

        - name: total_waiting_time_ms
          description: Total time in milliseconds spent waiting in the various queues
          type: long

        - name: connection_wait_time_ms
          description: Total time in milliseconds spent waiting for the connection to establish to the final server
          type: long

        - name: bytes_read
          description: Total number of bytes transmitted to the client when the log is emitted.
          type: long

        - name: time_queue
          description: Total time in milliseconds spent waiting in the various queues.
          type: long

        - name: time_backend_connect
          description: Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.
          type: long

        - name: server_queue
          description: Total number of requests which were processed before this one in the server queue.
          type: long

        - name: backend_queue
          description: Total number of requests which were processed before this one in the backend's global queue.
          type: long

        - name: bind_name
          description: Name of the listening address which received the connection.

        - name: error_message
          description: Error message logged by HAProxy in case of error.
          type: text

        - name: source
          type: keyword
          description: The HAProxy source of the log

        - name: termination_state
          description: Condition the session was in when the session ended.

        - name: mode
          type: keyword
          description: mode that the frontend is operating (TCP or HTTP)

        - name: connections
          description: Contains various counts of connections active in the process.
          type: group
          fields:
            - name: active
              description: Total number of concurrent connections on the process when the session was logged.
              type: long

            - name: frontend
              description: Total number of concurrent connections on the frontend when the session was logged.
              type: long

            - name: backend
              description: Total number of concurrent connections handled by the backend when the session was logged.
              type: long

            - name: server
              description: Total number of concurrent connections still active on the server when the session was logged.
              type: long

            - name: retries
              description: Number of connection retries experienced by this session when trying to connect to the server.
              type: long

        - name: client
          description: Information about the client doing the request
          type: group
          fields:
          - name: ip
            type: alias
            path: source.address
            migration: true
          - name: port
            type: alias
            path: source.port
            migration: true

        - name: process_name
          type: alias
          path: process.name
          migration: true

        - name: pid
          type: alias
          path: process.pid
          migration: true

        - name: destination
          description: Destination information
          type: group
          fields:
          - name: port
            type: alias
            path: destination.port
            migration: true
          - name: ip
            type: alias
            path: destination.ip
            migration: true

        - name: geoip
          type: group
          description: >
            Contains GeoIP information gathered based on the client.ip field.
            Only present if the GeoIP Elasticsearch plugin is available and
            used.
          fields:
            - name: continent_name
              type: alias
              path: source.geo.continent_name
              migration: true
            - name: country_iso_code
              type: alias
              path: source.geo.country_iso_code
              migration: true
            - name: location
              type: alias
              path: source.geo.location
              migration: true
            - name: region_name
              type: alias
              path: source.geo.region_name
              migration: true
            - name: city_name
              type: alias
              path: source.geo.city_name
              migration: true
            - name: region_iso_code
              type: alias
              path: source.geo.region_iso_code
              migration: true
        - name: http
          description: Please add description
          type: group
          fields:
        
          - name: response
            description: Fields related to the HTTP response
            type: group
            fields:
            - name: captured_cookie
              description: >
                Optional "name=value" entry indicating that the client had this cookie in the response.
        
            - name: captured_headers
              description: >
                List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.
              type: keyword
        
            - name: status_code
              type: alias
              path: http.response.status_code
              migration: true
        
          - name: request
            description: Fields related to the HTTP request
            type: group
            fields:
            - name: captured_cookie
              description: >
                Optional "name=value" entry indicating that the server has returned a cookie with its request.
        
            - name: captured_headers
              description: >
                List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.
              type: keyword
        
            - name: raw_request_line
              description: Complete HTTP request line, including the method, request and HTTP version string.
              type: keyword
        
            - name: time_wait_without_data_ms
              description: Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.
              type: long
        
            - name: time_wait_ms
              description: Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.
              type: long
        
        - name: tcp
          description: TCP log format
          type: group
          fields:
          - name: connection_waiting_time_ms
            type: long
            description: Total time in milliseconds elapsed between the accept and the last close
- key: icinga
  title: "Icinga"
  description: >
    Icinga Module
  fields:
    - name: icinga
      type: group
      description: >
      fields:
        - name: debug
          type: group
          description: >
            Contains fields for the Icinga debug logs.
          fields:
            - name: facility
              type: keyword
              description: >
                Specifies what component of Icinga logged the message.
        
            - name: severity
              type: alias
              path: log.level
              migration: true
            - name: message
              type: alias
              path: message
              migration: true
        - name: main
          type: group
          description: >
            Contains fields for the Icinga main logs.
          fields:
            - name: facility
              type: keyword
              description: >
                Specifies what component of Icinga logged the message.
        
            - name: severity
              type: alias
              path: log.level
              migration: true
            - name: message
              type: alias
              path: message
              migration: true
        - name: startup
          type: group
          description: >
            Contains fields for the Icinga startup logs.
          fields:
            - name: facility
              type: keyword
              description: >
                Specifies what component of Icinga logged the message.
        
            - name: severity
              type: alias
              path: log.level
              migration: true
            - name: message
              type: alias
              path: message
              migration: true
- key: iis
  title: "IIS"
  description: >
    Module for parsing IIS log files.
  fields:
    - name: iis
      type: group
      description: >
        Fields from IIS log files.
      fields:

        - name: access
          type: group
          description: >
            Contains fields for IIS access logs.
          fields:
            - name: sub_status
              type: long
              description: >
                The HTTP substatus code.
            - name: win32_status
              type: long
              description: >
                The Windows status code.
            - name: site_name
              type: keyword
              description: >
                The site name and instance number.
            - name: server_name
              type: keyword
              description: >
                The name of the server on which the log file entry was generated.
            - name: cookie
              type: keyword
              description: >
                The content of the cookie sent or received, if any.
        
            - name: body_received.bytes
              type: alias
              path: http.request.body.bytes
              migration: true
            - name: body_sent.bytes
              type: alias
              path: http.response.body.bytes
              migration: true
            - name: server_ip
              type: alias
              path: destination.address
              migration: true
            - name: method
              type: alias
              path: http.request.method
              migration: true
            - name: url
              type: alias
              path: url.path
              migration: true
            - name: query_string
              type: alias
              path: url.query
              migration: true
            - name: port
              type: alias
              path: destination.port
              migration: true
            - name: user_name
              type: alias
              path: user.name
              migration: true
            - name: remote_ip
              type: alias
              path: source.address
              migration: true
            - name: referrer
              type: alias
              path: http.request.referrer
              migration: true
            - name: response_code
              type: alias
              path: http.response.status_code
              migration: true
            - name: http_version
              type: alias
              path: http.version
              migration: true
            - name: hostname
              type: alias
              path: host.hostname
              migration: true
            - name: user_agent
              type: group
              fields:
                - name: device
                  type: alias
                  path: user_agent.device.name
                  migration: true
                - name: name
                  type: alias
                  path: user_agent.name
                  migration: true
                - name: os
                  type: alias
                  path: user_agent.os.full_name
                  migration: true
                - name: os_name
                  type: alias
                  path: user_agent.os.name
                  migration: true
                - name: original
                  type: alias
                  path: user_agent.original
                  migration: true
            - name: geoip
              type: group
              fields:
                - name: continent_name
                  type: alias
                  path: source.geo.continent_name
                  migration: true
                - name: country_iso_code
                  type: alias
                  path: source.geo.country_iso_code
                  migration: true
                - name: location
                  type: alias
                  path: source.geo.location
                  migration: true
                - name: region_name
                  type: alias
                  path: source.geo.region_name
                  migration: true
                - name: city_name
                  type: alias
                  path: source.geo.city_name
                  migration: true
                - name: region_iso_code
                  type: alias
                  path: source.geo.region_iso_code
                  migration: true
        - name: error
          type: group
          description: >
            Contains fields for IIS error logs.
          fields:
            - name: reason_phrase
              type: keyword
              description: >
                The HTTP reason phrase.
            - name: queue_name
              type: keyword
              description: >
                The IIS application pool name.
        
            - name: remote_ip
              type: alias
              path: source.address
              migration: true
            - name: remote_port
              type: alias
              path: source.port
              migration: true
            - name: server_ip
              type: alias
              path: destination.address
              migration: true
            - name: server_port
              type: alias
              path: destination.port
              migration: true
            - name: http_version
              type: alias
              path: http.version
              migration: true
            - name: method
              type: alias
              path: http.request.method
              migration: true
            - name: url
              type: alias
              path: url.original
              migration: true
            - name: response_code
              type: alias
              path: http.response.status_code
              migration: true
            - name: geoip
              type: group
              fields:
                - name: continent_name
                  type: alias
                  path: source.geo.continent_name
                  migration: true
                - name: country_iso_code
                  type: alias
                  path: source.geo.country_iso_code
                  migration: true
                - name: location
                  type: alias
                  path: source.geo.location
                  migration: true
                - name: region_name
                  type: alias
                  path: source.geo.region_name
                  migration: true
                - name: city_name
                  type: alias
                  path: source.geo.city_name
                  migration: true
                - name: region_iso_code
                  type: alias
                  path: source.geo.region_iso_code
                  migration: true
- key: kafka
  title: "Kafka"
  description: >
    Kafka module
  fields:
    - name: kafka
      type: group
      description: >
      fields:
        - name: log
          type: group
          description: >
            Kafka log lines.
          fields:
            - name: component
              type: keyword
              description: >
                Component the log is coming from.
            - name: class
              type: keyword
              description: >
                Java class the log is coming from.
            - name: thread
              type: keyword
              description: >
                Thread name the log is coming from.
            - name: trace
              type: group
              description: >
                  Trace in the log line.
              fields:
                - name: class
                  type: keyword
                  description: >
                    Java class the trace is coming from.
                - name: message
                  type: text
                  description: >
                      Message part of the trace.
- key: kibana
  title: "kibana"
  release: ga
  description: >
    kibana Module
  fields:
    - name: kibana
      type: group
      description: >
        Module for parsing Kibana logs.
      fields:
        - name: session_id
          description: The ID of the user session associated with this event. Each login attempt results in a unique session id.
          example: "123e4567-e89b-12d3-a456-426614174000"
          type: keyword
        - name: space_id
          description: "The id of the space associated with this event."
          example: "default"
          type: keyword
        - name: saved_object.type
          description: "The type of the saved object associated with this event."
          example: "dashboard"
          type: keyword
        - name: saved_object.id
          description: "The id of the saved object associated with this event."
          example: "6295bdd0-0a0e-11e7-825f-6748cda7d858"
          type: keyword
        - name: add_to_spaces
          description: "The set of space ids that a saved object was shared to."
          example: "['default', 'marketing']"
          type: keyword
        - name: delete_from_spaces
          description: "The set of space ids that a saved object was removed from."
          example: "['default', 'marketing']"
          type: keyword
        - name: authentication_provider
          description: "The authentication provider associated with a login event."
          example: "basic1"
          type: keyword
        - name: authentication_type
          description: "The authentication provider type associated with a login event."
          example: "basic"
          type: keyword
        - name: authentication_realm
          description: "The Elasticsearch authentication realm name which fulfilled a login event."
          example: "native"
          type: keyword
        - name: lookup_realm
          description: "The Elasticsearch lookup realm which fulfilled a login event."
          example: "native"
          type: keyword
        - name: log
          type: group
          description: >
            Kibana log lines.
          fields:
            - name: tags
              type: keyword
              description: >
                Kibana logging tags.
            - name: state
              type: keyword
              description: >
                Current state of Kibana.
            - name: meta
              type: object
              object_type: keyword
        
            - name: meta.req.headers
              type: flattened
            - name: meta.res.headers
              type: flattened
- key: logstash
  title: "logstash"
  release: ga
  description: >
    logstash Module
  fields:
    - name: logstash
      type: group
      description: >
      fields:
        - name: log
          title: "Logstash"
          type: group
          description: >
            Fields from the Logstash logs.
          fields:
            - name: module
              type: keyword
              description: >
                The module or class where the event originate.
            - name: thread
              type: keyword
              description: >
                Information about the running thread where the log originate.
              multi_fields:
                - name: text
                  type: text
            - name: log_event
              type: object
              description: >
                key and value debugging information.
            - name: log_event.action
              type: keyword
            - name: pipeline_id
              type: keyword
              example: main
              description: >
                The ID of the pipeline.
        
            - name: message
              type: alias
              path: message
              migration: true
            - name: level
              type: alias
              path: log.level
              migration: true
        - name: slowlog
          type: group
          description: >
            slowlog
          fields:
            - name: module
              type: keyword
              description: >
                The module or class where the event originate.
            - name: thread
              type: keyword
              description: >
                Information about the running thread where the log originate.
              multi_fields:
                - name: text
                  type: text
            - name: event
              type: keyword
              description: >
                Raw dump of the original event
              multi_fields:
                - name: text
                  type: text
            - name: plugin_name
              type: keyword
              description: >
                Name of the plugin
            - name: plugin_type
              type: keyword
              description: >
                Type of the plugin: Inputs, Filters, Outputs or Codecs.
            - name: took_in_millis
              type: long
              description: >
                Execution time for the plugin in milliseconds.
            - name: plugin_params
              type: keyword
              description: >
                String value of the plugin configuration
              multi_fields:
                - name: text
                  type: text
            - name: plugin_params_object
              type: object
              description: >
                key -> value of the configuration used by the plugin.
            - name: level
              type: alias
              path: log.level
              migration: true
            - name: took_in_nanos
              type: alias
              path: event.duration
              migration: true
- key: mongodb
  title: "mongodb"
  description: >
    Module for parsing MongoDB log files.
  fields:
    - name: mongodb
      type: group
      description: >
          Fields from MongoDB logs.
      fields:
        - name: log
          type: group
          description: >
              Contains fields from MongoDB logs.
          fields:
          - name: component
            description: >
                Functional categorization of message
            example: COMMAND
            type: keyword
          - name: context
            description: >
                Context of message
            example: initandlisten
            type: keyword
          - name: severity
            type: alias
            path: log.level
            migration: true
          - name: message
            type: alias
            path: message
            migration: true
          - name: id
            description: >
                Integer representing the unique identifier of the log statement
            example: 4615611
            type: long
- key: mysql
  title: "MySQL"
  description: >
    Module for parsing the MySQL log files.
  short_config: true
  fields:
    - name: mysql
      type: group
      description: >
        Fields from the MySQL log files.
      fields:
        - name: thread_id
          type: long
          description: >
            The connection or thread ID for the query.
        - name: error
          type: group
          description: >
            Contains fields from the MySQL error logs.
          fields:
            - name: thread_id
              type: alias
              path: mysql.thread_id
              migration: true
            - name: level
              type: alias
              path: log.level
              migration: true
            - name: message
              type: alias
              path: message
              migration: true
        - name: slowlog
          type: group
          description: >
            Contains fields from the MySQL slow logs.
          fields:
            - name: lock_time.sec
              type: float
              description: >
                The amount of time the query waited for the lock to be available. The
                value is in seconds, as a floating point number.
            - name: rows_sent
              type: long
              description: >
                The number of rows returned by the query.
            - name: rows_examined
              type: long
              description: >
                The number of rows scanned by the query.
            - name: rows_affected
              type: long
              description: >
                The number of rows modified by the query.
            - name: bytes_sent
              type: long
              format: bytes
              description: >
                The number of bytes sent to client.
            - name: bytes_received
              type: long
              format: bytes
              description: >
                The number of bytes received from client.
            - name: query
              description: >
                The slow query.
            - name: id
              type: alias
              path: mysql.thread_id
              migration: true
            - name: schema
              type: keyword
              description: >
                The schema where the slow query was executed.
            - name: current_user
              type: keyword
              description: >
                Current authenticated user, used to determine access privileges. Can differ from the value for user.
            - name: last_errno
              type: keyword
              description: >
                Last SQL error seen.
            - name: killed
              type: keyword
              description: >
                Code of the reason if the query was killed.
        
            - name: query_cache_hit
              type: boolean
              description: >
                Whether the query cache was hit.
            - name: tmp_table
              type: boolean
              description: >
                Whether a temporary table was used to resolve the query.
            - name: tmp_table_on_disk
              type: boolean
              description: >
                Whether the query needed temporary tables on disk.
            - name: tmp_tables
              type: long
              description: >
                Number of temporary tables created for this query
            - name: tmp_disk_tables
              type: long
              description: >
                Number of temporary tables created on disk for this query.
            - name: tmp_table_sizes
              type: long
              format: bytes
              description:
                Size of temporary tables created for this query.
            - name: filesort
              type: boolean
              description: >
                Whether filesort optimization was used.
            - name: filesort_on_disk
              type: boolean
              description: >
                Whether filesort optimization was used and it needed temporary tables on disk.
            - name: priority_queue
              type: boolean
              description: >
                Whether a priority queue was used for filesort.
            - name: full_scan
              type: boolean
              description: >
                Whether a full table scan was needed for the slow query.
            - name: full_join
              type: boolean
              description: >
                Whether a full join was needed for the slow query (no indexes were used for joins).
            - name: merge_passes
              type: long
              description: >
                Number of merge passes executed for the query.
            - name: sort_merge_passes
              type: long
              description: >
                Number of merge passes that the sort algorithm has had to do.
            - name: sort_range_count
              type: long
              description: >
                Number of sorts that were done using ranges. 
            - name: sort_rows
              type: long
              description: >
                Number of sorted rows.
            - name: sort_scan_count
              type: long
              description: >
                Number of sorts that were done by scanning the table.
            - name: log_slow_rate_type
              type: keyword
              description: >
                Type of slow log rate limit, it can be `session` if the rate limit
                is applied per session, or `query` if it applies per query.
            - name: log_slow_rate_limit
              type: keyword
              description: >
                Slow log rate limit, a value of 100 means that one in a hundred queries
                or sessions are being logged.
            - name: read_first
              type: long
              description: >
                The number of times the first entry in an index was read.
            - name: read_last
              type: long
              description: >
                The number of times the last key in an index was read.
            - name: read_key
              type: long
              description: >
                The number of requests to read a row based on a key.
            - name: read_next
              type: long
              description: >
                The number of requests to read the next row in key order.
            - name: read_prev
              type: long
              description: >
                The number of requests to read the previous row in key order.
            - name: read_rnd
              type: long
              description: >
                The number of requests to read a row based on a fixed position. 
            - name: read_rnd_next
              type: long
              description: >
                The number of requests to read the next row in the data file.
        
            # https://www.percona.com/doc/percona-server/5.7/diagnostics/slow_extended.html
            - name: innodb
              type: group
              description: >
                Contains fields relative to InnoDB engine
              fields:
                - name: trx_id
                  type: keyword
                  description: >
                    Transaction ID
                - name: io_r_ops
                  type: long
                  description: >
                    Number of page read operations.
                - name: io_r_bytes
                  type: long
                  format: bytes
                  description: >
                    Bytes read during page read operations.
                - name: io_r_wait.sec
                  type: long
                  description: >
                    How long it took to read all needed data from storage.
                - name: rec_lock_wait.sec
                  type: long
                  description: >
                    How long the query waited for locks.
                - name: queue_wait.sec
                  type: long
                  description: >
                    How long the query waited to enter the InnoDB queue and to be executed once
                    in the queue.
                - name: pages_distinct
                  type: long
                  description: >
                    Approximated count of pages accessed to execute the query.
        
            - name: user
              type: alias
              path: user.name
              migration: true
            - name: host
              type: alias
              path: source.domain
              migration: true
            - name: ip
              type: alias
              path: source.ip
              migration: true
        
- key: nats
  title: "NATS"
  description: >
    Module for parsing NATS log files.
  release: beta
  fields:
    - name: nats
      type: group
      description: >
        Fields from NATS logs.
      fields:
        - name: log
          type: group
          description: >
            Nats log files
          release: beta
          fields:
            - name: client
              type: group
              description: >
                Fields from NATS logs client.
              fields:
                - name: id
                  type: integer
                  description: >
                    The id of the client
            - name: msg
              type: group
              description: >
                Fields from NATS logs message.
              fields:
                - name: bytes
                  type: long
                  format: bytes
                  description: >
                    Size of the payload in bytes
                - name: type
                  type: keyword
                  description: >
                    The protocol message type
                - name: subject
                  type: keyword
                  description: >
                    Subject name this message was received on
                - name: sid
                  type: integer
                  description: >
                    The unique alphanumeric subscription ID of the subject
                - name: reply_to
                  type: keyword
                  description: >
                    The inbox subject on which the publisher is listening for responses
                - name: max_messages
                  type: integer
                  description: >
                    An optional number of messages to wait for before automatically unsubscribing
                - name: error.message
                  type: text
                  description: >
                    Details about the error occurred
                - name: queue_group
                  type: text
                  description: >
                    The queue group which subscriber will join
- key: nginx
  title: "Nginx"
  description: >
    Module for parsing the Nginx log files.
  short_config: true
  fields:
    - name: nginx
      type: group
      description: >
        Fields from the Nginx log files.
      fields:
        - name: access
          type: group
          description: >
            Contains fields for the Nginx access logs.
          fields:
            - name: remote_ip_list
              type: array
              description: >
                An array of remote IP addresses. It is a list because it is common to include, besides the client
                IP address, IP addresses from headers like `X-Forwarded-For`.
                Real source IP is restored to `source.ip`.
        
            - name: body_sent.bytes
              type: alias
              path: http.response.body.bytes
              migration: true
            - name: user_name
              type: alias
              path: user.name
              migration: true
            - name: method
              type: alias
              path: http.request.method
              migration: true
            - name: url
              type: alias
              path: url.original
              migration: true
            - name: http_version
              type: alias
              path: http.version
              migration: true
            - name: response_code
              type: alias
              path: http.response.status_code
              migration: true
            - name: referrer
              type: alias
              path: http.request.referrer
              migration: true
            - name: agent
              type: alias
              path: user_agent.original
              migration: true
        
            - name: user_agent
              type: group
              fields:
                - name: device
                  type: alias
                  path: user_agent.device.name
                  migration: true
                - name: name
                  type: alias
                  path: user_agent.name
                  migration: true
                - name: os
                  type: alias
                  path: user_agent.os.full_name
                  migration: true
                - name: os_name
                  type: alias
                  path: user_agent.os.name
                  migration: true
                - name: original
                  type: alias
                  path: user_agent.original
                  migration: true
        
            - name: geoip
              type: group
              fields:
                - name: continent_name
                  type: alias
                  path: source.geo.continent_name
                  migration: true
                - name: country_iso_code
                  type: alias
                  path: source.geo.country_iso_code
                  migration: true
                - name: location
                  type: alias
                  path: source.geo.location
                  migration: true
                - name: region_name
                  type: alias
                  path: source.geo.region_name
                  migration: true
                - name: city_name
                  type: alias
                  path: source.geo.city_name
                  migration: true
                - name: region_iso_code
                  type: alias
                  path: source.geo.region_iso_code
                  migration: true
        - name: error
          type: group
          description: >
            Contains fields for the Nginx error logs.
          fields:
            - name: connection_id
              type: long
              description: >
                Connection identifier.
        
            - name: level
              type: alias
              path: log.level
              migration: true
            - name: pid
              type: alias
              path: process.pid
              migration: true
            - name: tid
              type: alias
              path: process.thread.id
              migration: true
            - name: message
              type: alias
              path: message
              migration: true
        - name: ingress_controller
          type: group
          description: >
            Contains fields for the Ingress Nginx controller access logs.
          fields:
            - name: remote_ip_list
              type: array
              description: >
                An array of remote IP addresses. It is a list because it is common to include, besides the client
                IP address, IP addresses from headers like `X-Forwarded-For`.
                Real source IP is restored to `source.ip`.
        
            # ingress-controller specific fields
            - name: upstream_address_list
              type: keyword
              description: >
                An array of the upstream addresses. It is a list because it is common that several upstream servers
                were contacted during request processing.
            - name: upstream.response.length_list
              type: keyword
              description: >
                An array of upstream response lengths. It is a list because it is common that several upstream servers
                were contacted during request processing.
            - name: upstream.response.time_list
              type: keyword
              description: >
                An array of upstream response durations. It is a list because it is common that several upstream servers
                were contacted during request processing.
            - name: upstream.response.status_code_list
              type: keyword
              description: >
                An array of upstream response status codes. It is a list because it is common that several upstream servers
                were contacted during request processing.
            - name: http.request.length
              type: long
              format: bytes
              description: >
                The request length (including request line, header, and request body)
            - name: http.request.time
              type: double
              format: duration
              description: >
                Time elapsed since the first bytes were read from the client
            - name: upstream.name
              type: keyword
              description: >
                The name of the upstream.
            - name: upstream.alternative_name
              type: keyword
              description: >
                The name of the alternative upstream.
            - name: upstream.response.length
              type: long
              format: bytes
              description: >
                The length of the response obtained from the upstream server. If several servers were contacted during request process,
                the summary of the multiple response lengths is stored.
            - name: upstream.response.time
              type: double
              format: duration
              description: >
                The time spent on receiving the response from the upstream as seconds with millisecond resolution.
                If several servers were contacted during request process, the summary of the multiple response times is stored.
            - name: upstream.response.status_code
              type: long
              description: >
                The status code of the response obtained from the upstream server. If several servers were contacted during
                request process, only the status code of the response from the last one is stored in this field.
            - name: upstream.ip
              type: ip
              description: >
                The IP address of the upstream server. If several servers were contacted during request process,
                only the last one is stored in this field.
            - name: upstream.port
              type: long
              description: >
                The port of the upstream server. If several servers were contacted during request process,
                only the last one is stored in this field.
            - name: http.request.id
              type: keyword
              description: >
                The randomly generated ID of the request
        
            - name: body_sent.bytes
              type: alias
              path: http.response.body.bytes
              migration: true
            - name: user_name
              type: alias
              path: user.name
              migration: true
            - name: method
              type: alias
              path: http.request.method
              migration: true
            - name: url
              type: alias
              path: url.original
              migration: true
            - name: http_version
              type: alias
              path: http.version
              migration: true
            - name: response_code
              type: alias
              path: http.response.status_code
              migration: true
            - name: referrer
              type: alias
              path: http.request.referrer
              migration: true
            - name: agent
              type: alias
              path: user_agent.original
              migration: true
        
            - name: user_agent
              type: group
              fields:
                - name: device
                  type: alias
                  path: user_agent.device.name
                  migration: true
                - name: name
                  type: alias
                  path: user_agent.name
                  migration: true
                - name: os
                  type: alias
                  path: user_agent.os.full_name
                  migration: true
                - name: os_name
                  type: alias
                  path: user_agent.os.name
                  migration: true
                - name: original
                  type: alias
                  path: user_agent.original
                  migration: true
        
            - name: geoip
              type: group
              fields:
                - name: continent_name
                  type: alias
                  path: source.geo.continent_name
                  migration: true
                - name: country_iso_code
                  type: alias
                  path: source.geo.country_iso_code
                  migration: true
                - name: location
                  type: alias
                  path: source.geo.location
                  migration: true
                - name: region_name
                  type: alias
                  path: source.geo.region_name
                  migration: true
                - name: city_name
                  type: alias
                  path: source.geo.city_name
                  migration: true
                - name: region_iso_code
                  type: alias
                  path: source.geo.region_iso_code
                  migration: true
- key: osquery
  title: "Osquery"
  description: >
    Fields exported by the `osquery` module
  fields:
    - name: osquery
      type: group
      description: >
      fields:
        - name: result
          type: group
          description: >
            Common fields exported by the result metricset.
          fields:
            - name: name
              type: keyword
              description: >
                The name of the query that generated this event.
            - name: action
              type: keyword
              description: >
                For incremental data, marks whether the entry was added
                or removed. It can be one of "added", "removed", or "snapshot".
            - name: host_identifier
              type: keyword
              description: >
                The identifier for the host on which the osquery agent is running.
                Normally the hostname.
            - name: unix_time
              type: long
              description: >
                Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column.
            - name: calendar_time
              type: keyword
              description: >
                String representation of the collection time, as formatted by osquery.
- key: pensando
  title: Pensando 
  description: >
    pensando Module
  fields:
    - name: pensando
      type: group
      description: >
        Fields from Pensando logs.
      fields:
        - name: dfw 
          type: group
          release: beta
          description: >
           Fields for Pensando DFW
          fields:
            - name: action
              type: keyword
              description: >
                Action on the flow. 
            - name: app_id
              type: integer 
              description: >
                Application ID 
            - name: destination_address 
              type: keyword 
              description: >
                Address of destination. 
            - name: destination_port 
              type: integer 
              description: >
                Port of destination. 
            - name: direction 
              type: keyword
              description: >
                Direction of the flow 
            - name: protocol 
              type: keyword
              description: >
                Protocol of the flow 
            - name: rule_id 
              type: keyword 
              description: >
                Rule ID that was matched. 
            - name: session_id 
              type: integer 
              description: >
                Session ID of the flow 
            - name: session_state
              type: keyword 
              description: >
                Session state of the flow. 
            - name: source_address 
              type: keyword 
              description: >
                Source address of the flow. 
            - name: source_port 
              type: integer 
              description: >
                Source port of the flow. 
            - name: timestamp 
              type: date 
              description: >
                Timestamp of the log. 
- key: postgresql
  title: "PostgreSQL"
  description: >
    Module for parsing the PostgreSQL log files.
  short_config: true
  fields:
    - name: postgresql
      type: group
      description: >
          Fields from PostgreSQL logs.
      fields:
        - name: log
          type: group
          description: >
            Fields from the PostgreSQL log files.
          fields:
            - name: timestamp
              deprecated: 7.3.0
              description: >
                The timestamp from the log line.
            - name: core_id
              type: alias
              path: postgresql.log.session_line_number
              description: >
                Core id. (deprecated, there is no core_id in PostgreSQL logs, this is actually session_line_number).
              deprecated: 8.0.0
            - name: client_addr
              example: "127.0.0.1"
              description: >
                Host where the connection originated from.
            - name: client_port
              example: "59700"
              description: >
                Port where the connection originated from.
            - name: session_id
              description: >
                PostgreSQL session.
              example: "5ff1dd98.22"
            - name: session_line_number
              type: long
              description: >
                Line number inside a session. (%l in `log_line_prefix`).
            - name: database
              example: "postgres"
              description: >
                Name of database.
            - name: query
              example: "SELECT * FROM users;"
              description: >
                Query statement. In the case of CSV parse, look at command_tag to get more context.
            - name: query_step
              example: "parse"
              description: >
                Statement step when using extended query protocol (one of statement, parse, bind or execute).
            - name: query_name
              example: "pdo_stmt_00000001"
              description: >
                Name given to a query when using extended query protocol. If it is "<unnamed>", or not present,
                this field is ignored.
            - name: command_tag
              example: "SELECT"
              description: >
                Type of session's current command.
                The complete list can be found at: src/include/tcop/cmdtaglist.h
            - name: session_start_time
              type: date
              description: >
                Time when this session started.
            - name: virtual_transaction_id
              description: >
                Backend local transaction id.
            - name: transaction_id
              type: long
              description: >
                The id of current transaction.
            - name: sql_state_code
              # This code is not a number.
              type: keyword
              description: >
                State code returned by Postgres (if any).
                See also https://www.postgresql.org/docs/current/errcodes-appendix.html
            - name: detail
              description: >
                More information about the message, parameters in case of a parametrized query.
                e.g. 'Role \"user\" does not exist.', 'parameters: $1 = 42', etc.
            - name: hint
              description: >
                A possible solution to solve an error.
            - name: internal_query
              description: >
                Internal query that led to the error (if any).
            - name: internal_query_pos
              type: long
              description: >
                Character count of the internal query (if any).
            - name: context
              description: >
                Error context.
            - name: query_pos
              type: long
              description: >
                Character count of the error position (if any).
            - name: location
              description: >
                Location of the error in the PostgreSQL source code (if log_error_verbosity is set to verbose).
            - name: application_name
              description: >
                Name of the application of this event. It is defined by the client.
            - name: backend_type
              example: "client backend"
              description: >
                Type of backend of this event.
                Possible types are autovacuum launcher, autovacuum worker, logical replication launcher,
                logical replication worker, parallel worker, background writer, client backend, checkpointer,
                startup, walreceiver, walsender and walwriter.
                In addition, background workers registered by extensions may have additional types.
        
            - name: error.code
              type: alias
              path: postgresql.log.sql_state_code
              description: >
                Error code returned by Postgres (if any).
                Deprecated: errors can have letters. Use sql_state_code instead.
              deprecated: 8.0.0
        
            - name: timezone
              type: alias
              path: event.timezone
              migration: true
            - name: user
              type: alias
              path: user.name
              migration: true
            - name: level
              type: alias
              example: "LOG"
              description: >
                Valid values are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC.
              path: log.level
              migration: true
            - name: message
              type: alias
              path: message
              migration: true
- key: redis
  title: "Redis"
  description: >
    Redis Module
  fields:
    - name: redis
      type: group
      description: >
      fields:
        - name: log
          type: group
          description: >
            Redis log files
          fields:
            - name: role
              type: keyword
              description: >
                The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child),
                or `sentinel`.
        
            - name: pid
              type: alias
              path: process.pid
              migration: true
            - name: level
              type: alias
              path: log.level
              migration: true
            - name: message
              type: alias
              path: message
              migration: true
        - name: slowlog
          type: group
          description: >
            Slow logs are retrieved from Redis via a network connection.
          fields:
            - name: cmd
              type: keyword
              description: >
                The command executed.
            - name: duration.us
              type: long
              description: >
                How long it took to execute the command in microseconds.
            - name: id
              type: long
              description: >
                The ID of the query.
            - name: key
              type: keyword
              description: >
                The key on which the command was executed.
            - name: args
              type: keyword
              description: >
                The arguments with which the command was called.
- key: santa
  title: "Google Santa"
  description: >
    Santa Module
  fields:
    - name: santa
      type: group
      description: >
      fields:

        - name: action
          type: keyword
          example: EXEC
          description: Action

        - name: decision
          type: keyword
          example: ALLOW
          description: Decision that santad took.

        - name: reason
          type: keyword
          example: CERT
          description: Reason for the decsision.

        - name: mode
          type: keyword
          example: M
          description: Operating mode of Santa.

        - name: disk
          type: group
          description: Fields for DISKAPPEAR actions.
          fields:
            - name: volume
              description: The volume name.

            - name: bus
              description: The disk bus protocol.

            - name: serial
              description: The disk serial number.

            - name: bsdname
              example: disk1s3
              description: The disk BSD name.

            - name: model
              example: APPLE SSD SM0512L
              description: The disk model.

            - name: fs
              example: apfs
              description: The disk volume kind (filesystem type).

            - name: mount
              description: The disk volume path.

        - name: certificate.common_name
          type: keyword
          description: Common name from code signing certificate.

        - name: certificate.sha256
          type: keyword
          description: SHA256 hash of code signing certificate.
- key: system
  title: "System"
  description: >
    Module for parsing system log files.
  short_config: true
  fields:
    - name: system
      type: group
      description: >
        Fields from the system log files.
      fields:
        - name: auth
          type: group
          description: >
            Fields from the Linux authorization logs.
          fields:
            - name: timestamp
              type: alias
              path: '@timestamp'
              migration: true
            - name: hostname
              type: alias
              path: host.hostname
              migration: true
            - name: program
              type: alias
              path: process.name
              migration: true
            - name: pid
              type: alias
              path: process.pid
              migration: true
            - name: message
              type: alias
              path: message
              migration: true
            - name: user
              type: alias
              path: user.name
              migration: true
        
            - name: ssh
              type: group
              fields:
              - name: method
                description: >
                  The SSH authentication method. Can be one of "password" or "publickey".
              - name: signature
                description: >
                  The signature of the client public key.
              - name: dropped_ip
                type: ip
                description: >
                  The client IP from SSH connections that are open and immediately dropped.
        
              - name: event
                example: Accepted
                description: >
                  The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
        
              - name: ip
                type: alias
                path: source.ip
                migration: true
              - name: port
                type: alias
                path: source.port
                migration: true
        
              - name: geoip
                type: group
                fields:
                  - name: continent_name
                    type: alias
                    path: source.geo.continent_name
                    migration: true
                  - name: country_iso_code
                    type: alias
                    path: source.geo.country_iso_code
                    migration: true
                  - name: location
                    type: alias
                    path: source.geo.location
                    migration: true
                  - name: region_name
                    type: alias
                    path: source.geo.region_name
                    migration: true
                  - name: city_name
                    type: alias
                    path: source.geo.city_name
                    migration: true
                  - name: region_iso_code
                    type: alias
                    path: source.geo.region_iso_code
                    migration: true
        
            - name: sudo
              type: group
              description: >
                Fields specific to events created by the `sudo` command.
              fields:
              - name: error
                example: user NOT in sudoers
                description: >
                  The error message in case the sudo command failed.
              - name: tty
                description: >
                  The TTY where the sudo command is executed.
              - name: pwd
                description: >
                  The current directory where the sudo command is executed.
              - name: user
                example: root
                description: >
                  The target user to which the sudo command is switching.
              - name: command
                description: >
                  The command executed via sudo.
        
            - name: useradd
              type: group
              description: >
                Fields specific to events created by the `useradd` command.
              fields:
              - name: home
                description:
                  The home folder for the new user.
              - name: shell
                description:
                  The default shell for the new user.
        
              - name: name
                type: alias
                path: user.name
                migration: true
              - name: uid
                type: alias
                path: user.id
                migration: true
              - name: gid
                type: alias
                path: group.id
                migration: true
        
            - name: groupadd
              type: group
              description: >
                Fields specific to events created by the `groupadd` command.
              fields:
              - name: name
                type: alias
                path: group.name
                migration: true
              - name: gid
                type: alias
                path: group.id
                migration: true
        - name: syslog
          type: group
          description: >
            Contains fields from the syslog system logs.
          fields:
            - name: timestamp
              type: alias
              path: '@timestamp'
              migration: true
            - name: hostname
              type: alias
              path: host.hostname
              migration: true
            - name: program
              type: alias
              path: process.name
              migration: true
            - name: pid
              type: alias
              path: process.pid
              migration: true
            - name: message
              type: alias
              path: message
              migration: true
- key: traefik
  title: "Traefik"
  description: >
    Module for parsing the Traefik log files.
  fields:
    - name: traefik
      type: group
      description: >
        Fields from the Traefik log files.
      fields:
        - name: access
          type: group
          description: >
            Contains fields for the Traefik access logs.
          fields:
            - name: user_identifier
              type: keyword
              description: >
                Is the RFC 1413 identity of the client
            - name: request_count
              type: long
              description: >
                The number of requests
            - name: frontend_name
              type: keyword
              description: >
                The name of the frontend used
            - name: backend_url
              type: keyword
              description:
                The url of the backend where request is forwarded
        
            - name: body_sent.bytes
              type: alias
              path: http.response.body.bytes
              migration: true
            - name: remote_ip
              type: alias
              path: source.address
              migration: true
            - name: user_name
              type: alias
              path: user.name
              migration: true
            - name: method
              type: alias
              path: http.request.method
              migration: true
            - name: url
              type: alias
              path: url.original
              migration: true
            - name: http_version
              type: alias
              path: http.version
              migration: true
            - name: response_code
              type: alias
              path: http.response.status_code
              migration: true
            - name: referrer
              type: alias
              path: http.request.referrer
              migration: true
            - name: agent
              type: alias
              path: user_agent.original
              migration: true
        
            - name: user_agent
              type: group
              fields:
                - name: name
                  type: alias
                  path: user_agent.name
                - name: os
                  type: alias
                  path: user_agent.os.full_name
                - name: os_name
                  type: alias
                  path: user_agent.os.name
                - name: original
                  type: alias
                  path: user_agent.original
        
            - name: geoip
              type: group
              fields:
                - name: continent_name
                  type: alias
                  path: source.geo.continent_name
                - name: country_iso_code
                  type: alias
                  path: source.geo.country_iso_code
                - name: location
                  type: alias
                  path: source.geo.location
                - name: region_name
                  type: alias
                  path: source.geo.region_name
                - name: city_name
                  type: alias
                  path: source.geo.city_name
                - name: region_iso_code
                  type: alias
                  path: source.geo.region_iso_code
        
- key: activemq
  title: "ActiveMQ"
  release: ga
  description: >
    Module for parsing ActiveMQ log files.
  fields:
    - name: activemq
      type: group
      description: >
      fields:
        - name: caller
          type: keyword
          description: >
            Name of the caller issuing the logging request (class or resource).
        - name: thread
          type: keyword
          description: >
            Thread that generated the logging event.
        - name: user
          type: keyword
          description: >
            User that generated the logging event.
        - name: audit
          type: group
          description: >
            Fields from ActiveMQ audit logs.
          fields:
        - name: log
          type: group
          description: >
            Fields from ActiveMQ application logs.
          fields:
            - name: stack_trace
              type: keyword
- key: aws
  title: AWS
  release: ga
  description: >
    Module for handling logs from AWS.
  fields:
    - name: aws
      type: group
      description: >
        Fields from AWS logs.
      fields:
        - name: cloudtrail
          type: group
          release: ga
          description: >
            Fields for AWS CloudTrail logs.
          fields:
            - name: event_version
              type: keyword
              description: >
                The CloudTrail version of the log event format.
            - name: user_identity
              type: group
              description: >-
                The userIdentity element contains details about the type of
                IAM identity that made the request, and which credentials were
                used. If temporary credentials were used, the element shows how the
                credentials were obtained.
              fields:
                - name: type
                  type: keyword
                  description: >
                    The type of the identity
                - name: arn
                  type: keyword
                  description: >-
                    The Amazon Resource Name (ARN) of the principal that made the call.
                - name: access_key_id
                  type: keyword
                  description: >-
                    The access key ID that was used to sign the request.
                - name: session_context
                  type: group
                  description: >-
                    If the request was made with temporary security
                    credentials, an element that provides information about the session
                    that was created for those credentials
                  fields:
                    - name: mfa_authenticated
                      type: keyword
                      description: >-
                        The value is true if the root user or IAM user whose
                        credentials were used for the request also was authenticated with an
                        MFA device; otherwise, false.
                    - name: creation_date
                      type: date
                      description: >-
                        The date and time when the temporary security credentials were issued.
                    - name: session_issuer
                      type: group
                      description: >-
                        If the request was made with temporary security
                        credentials, an element that provides information about
                        how the credentials were obtained.
                      fields:
                        - name: type
                          type: keyword
                          description: >-
                            The source of the temporary security credentials, such
                            as Root, IAMUser, or Role.
                        - name: principal_id
                          type: keyword
                          description: >-
                            The internal ID of the entity that was used to get
                            credentials.
                        - name: arn
                          type: keyword
                          description: >-
                            The ARN of the source (account, IAM user, or role)
                            that was used to get temporary security credentials.
                        - name: account_id
                          type: keyword
                          description: >-
                            The account that owns the entity that was used to get
                            credentials.
                - name: invoked_by
                  type: keyword
                  description: >-
                    The name of the AWS service that made the request, such as
                    Amazon EC2 Auto Scaling or AWS Elastic Beanstalk.
            - name: error_code
              type: keyword
              description: >-
                The AWS service error if the request returns an error.
            - name: error_message
              type: keyword
              description: >-
                If the request returns an error, the description of the error.
            - name: request_parameters
              type: keyword
              description: >-
                The parameters, if any, that were sent with the request.
              multi_fields:
                - name: text
                  type: text
            - name: response_elements
              type: keyword
              description: >-
                The response element for actions that make changes (create,
                update, or delete actions).
              multi_fields:
                - name: text
                  type: text
            - name: additional_eventdata
              type: keyword
              description: >-
                Additional data about the event that was not part of the
                request or response.
              multi_fields:
                - name: text
                  type: text
            - name: request_id
              type: keyword
              description: >-
                The value that identifies the request. The service being
                called generates this value.
            - name: event_type
              type: keyword
              description: >-
                Identifies the type of event that generated the event record.
            - name: api_version
              type: keyword
              description: >-
                Identifies the API version associated with the AwsApiCall
                eventType value.
            - name: management_event
              type: keyword
              description: >-
                A Boolean value that identifies whether the event is a
                management event.
            - name: read_only
              type: keyword
              description: >-
                Identifies whether this operation is a read-only operation.
            - name: resources
              type: group
              description: >-
                A list of resources accessed in the event.
              fields:
                - name: arn
                  type: keyword
                  description: >-
                    Resource ARNs
                - name: account_id
                  type: keyword
                  description: >-
                    Account ID of the resource owner
                - name: type
                  type: keyword
                  description: >-
                    Resource type identifier in the format: AWS::aws-service-name::data-type-name
            - name: recipient_account_id
              type: keyword
              description: >-
                Represents the account ID that received this event.
            - name: service_event_details
              type: keyword
              description: >-
                Identifies the service event, including what triggered the
                event and the result.
              multi_fields:
                - name: text
                  type: text
            - name: shared_event_id
              type: keyword
              description: >-
                GUID generated by CloudTrail to uniquely identify CloudTrail
                events from the same AWS action that is sent to different AWS
                accounts.
            - name: vpc_endpoint_id
              type: keyword
              description: >-
                Identifies the VPC endpoint in which requests were made from a
                VPC to another AWS service, such as Amazon S3.
            - name: event_category
              type: keyword
              description: |-
                Shows the event category that is used in LookupEvents calls.
        
                 - For management events, the value is management.
                 - For data events, the value is data.
                 - For Insights events, the value is insight.
            - name: console_login
              type: group
              description: >-
                Fields specific to ConsoleLogin events
              fields:
                - name: additional_eventdata
                  type: group
                  description: >
                    Additional Event Data for ConsoleLogin events
                  fields:
                    - name: mobile_version
                      type: boolean
                      description: >-
                        Identifies whether ConsoleLogin was from mobile version
                    - name: login_to
                      type: keyword
                      description: >-
                        URL for ConsoleLogin
                    - name: mfa_used
                      type: boolean
                      description: >-
                        Identifies whether multi factor authentication was
                        used during ConsoleLogin
            - name: flattened
              type: group
              description: >-
                ES flattened datatype for objects where the subfields aren't known in advance.
              fields:
                - name: additional_eventdata
                  type: flattened
                  description: >
                    Additional data about the event that was not part of the
                    request or response.
                - name: request_parameters
                  type: flattened
                  description: >-
                    The parameters, if any, that were sent with the request.
                - name: response_elements
                  type: flattened
                  description: >-
                    The response element for actions that make changes (create,
                    update, or delete actions).
                - name: service_event_details
                  type: flattened
                  description: >-
                    Identifies the service event, including what triggered the
                    event and the result.
            - name: digest
              type: group
              description: >-
                Fields from Cloudtrail Digest Logs
              fields:
                - name: log_files
                  type: nested
                  description: >-
                    A list of Logfiles contained in the digest.
                - name: start_time
                  type: date
                  description: >-
                    The starting UTC time range that the digest file covers,
                    taking as a reference the time in which log files have
                    been delivered by CloudTrail.
                - name: end_time
                  type: date
                  description: >-
                    The ending UTC time range that the digest file covers,
                    taking as a reference the time in which log files have
                    been delivered by CloudTrail.
                - name: s3_bucket
                  type: keyword
                  description: >-
                    The name of the Amazon S3 bucket to which the current
                    digest file has been delivered.
                - name: s3_object
                  type: keyword
                  description: >-
                    The Amazon S3 object key (that is, the Amazon S3 bucket
                    location) of the current digest file.
                - name: newest_event_time
                  type: date
                  description: >-
                    The UTC time of the most recent event among all of the
                    events in the log files in the digest.
                - name: oldest_event_time
                  type: date
                  description: >-
                    The UTC time of the oldest event among all of the events
                    in the log files in the digest.
                - name: previous_s3_bucket
                  type: keyword
                  description: >-
                    The Amazon S3 bucket to which the previous digest file was
                    delivered.
                - name: previous_hash_algorithm
                  type: keyword
                  description: >-
                    The name of the hash algorithm that was used to hash the
                    previous digest file.
                - name: public_key_fingerprint
                  type: keyword
                  description: >-
                    The hexadecimal encoded fingerprint of the public key that
                    matches the private key used to sign this digest file.
                - name: signature_algorithm
                  type: keyword
                  description: >-
                    The algorithm used to sign the digest file.
            - name: insight_details
              type: flattened
              description: >-
                Shows information about the underlying triggers of an Insights
                event, such as event source, user agent, statistics, API name,
                and whether the event is the start or end of the Insights
                event.
        - name: cloudwatch
          type: group
          release: ga
          description: >
            Fields for AWS CloudWatch logs.
          fields:
            - name: message
              type: text
              description: >
                CloudWatch log message.
        - name: ec2
          type: group
          release: ga
          description: >
            Fields for AWS EC2 logs in CloudWatch.
          fields:
            - name: ip_address
              type: keyword
              description: >
                The internet address of the requester.
        - name: elb
          type: group
          release: ga
          description: >
            Fields for AWS ELB logs.
          fields:
            - name: name
              type: keyword
              description: >
                The name of the load balancer.
            - name: type
              type: keyword
              description: >
                The type of the load balancer for v2 Load Balancers.
            - name: target_group.arn
              type: keyword
              description: >
                The ARN of the target group handling the request.
            - name: listener
              type: keyword
              description: >
                The ELB listener that received the connection.
            - name: protocol
              type: keyword
              description: >
                The protocol of the load balancer (http or tcp).
            - name: request_processing_time.sec
              type: float
              description: >
                The total time in seconds since the connection or request is received until it is sent to a registered backend.
            - name: backend_processing_time.sec
              type: float
              description: >
                The total time in seconds since the connection is sent to the backend till the backend starts responding.
            - name: response_processing_time.sec
              type: float
              description: >
                The total time in seconds since the response is received from the backend till it is sent to the client.
            - name: connection_time.ms
              type: long
              description: >
                The total time of the connection in milliseconds, since it is opened till it is closed.
            - name: tls_handshake_time.ms
              type: long
              description: >
                The total time for the TLS handshake to complete in milliseconds once the connection has been established.
            - name: backend.ip
              type: keyword
              description: >
                The IP address of the backend processing this connection.
            - name: backend.port
              type: keyword
              description: >
                The port in the backend processing this connection.
            - name: backend.http.response.status_code
              type: keyword
              description: >
                The status code from the backend (status code sent to the client from ELB is stored in `http.response.status_code`
            - name: ssl_cipher
              type: keyword
              description: >
                The SSL cipher used in TLS/SSL connections.
            - name: ssl_protocol
              type: keyword
              description: >
                The SSL protocol used in TLS/SSL connections.
            - name: chosen_cert.arn
              type: keyword
              description: >
                The ARN of the chosen certificate presented to the client in TLS/SSL connections.
            - name: chosen_cert.serial
              type: keyword
              description: >
                The serial number of the chosen certificate presented to the client in TLS/SSL connections.
            - name: incoming_tls_alert
              type: keyword
              description: >
                The integer value of TLS alerts received by the load balancer from the client, if present.
            - name: tls_named_group
              type: keyword
              description: >
                The TLS named group.
            - name: trace_id
              type: keyword
              description: >
                The contents of the `X-Amzn-Trace-Id` header.
            - name: matched_rule_priority
              type: keyword
              description: >
                The priority value of the rule that matched the request, if a rule matched.
            - name: action_executed
              type: keyword
              description: >
                The action executed when processing the request (forward, fixed-response, authenticate...). It can contain several values.
            - name: redirect_url
              type: keyword
              description: >
                The URL used if a redirection action was executed.
            - name: error.reason
              type: keyword
              description: >
                The error reason if the executed action failed.
            - name: target_port
              type: keyword
              description: >
                List of IP addresses and ports for the targets that processed this request.
            - name: target_status_code
              type: keyword
              description: >
                List of status codes from the responses of the targets.
            - name: classification
              type: keyword
              description: >
                The classification for desync mitigation.
            - name: classification_reason
              type: keyword
              description: >
                The classification reason code.
        - name: s3access
          type: group
          release: ga
          description: >
            Fields for AWS S3 server access logs.
          fields:
            - name: bucket_owner
              type: keyword
              description: >
                The canonical user ID of the owner of the source bucket.
            - name: bucket
              type: keyword
              description: >
                The name of the bucket that the request was processed against.
            - name: remote_ip
              type: ip
              description: >
                The apparent internet address of the requester.
            - name: requester
              type: keyword
              description: >
                The canonical user ID of the requester, or a - for unauthenticated requests.
            - name: request_id
              type: keyword
              description: >
                A string generated by Amazon S3 to uniquely identify each request.
            - name: operation
              type: keyword
              description: >
                The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.
            - name: key
              type: keyword
              description: >
                The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter.
            - name: request_uri
              type: keyword
              description: >
                The Request-URI part of the HTTP request message.
            - name: http_status
              type: long
              description: >
                The numeric HTTP status code of the response.
            - name: error_code
              type: keyword
              description: >
                The Amazon S3 Error Code, or "-" if no error occurred.
            - name: bytes_sent
              type: long
              description: >
                The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.
            - name: object_size
              type: long
              description: >
                The total size of the object in question.
            - name: total_time
              type: long
              description: >
                The number of milliseconds the request was in flight from the server's perspective.
            - name: turn_around_time
              type: long
              description: >
                The number of milliseconds that Amazon S3 spent processing your request.
            - name: referrer
              type: keyword
              description: >
                The value of the HTTP Referrer header, if present.
            - name: user_agent
              type: keyword
              description: >
                The value of the HTTP User-Agent header.
            - name: version_id
              type: keyword
              description: >
                The version ID in the request, or "-" if the operation does not take a versionId parameter.
            - name: host_id
              type: keyword
              description: >
                The x-amz-id-2 or Amazon S3 extended request ID.
            - name: signature_version
              type: keyword
              description: >
                The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests.
            - name: cipher_suite
              type: keyword
              description: >
                The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP.
            - name: authentication_type
              type: keyword
              description: >
                The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests.
            - name: host_header
              type: keyword
              description: >
                The endpoint used to connect to Amazon S3.
            - name: tls_version
              type: keyword
              description: >
                The Transport Layer Security (TLS) version negotiated by the client.
        - name: vpcflow
          type: group
          release: ga
          description: >
            Fields for AWS VPC flow logs.
          fields:
            - name: version
              type: keyword
              description: >
                The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.
            - name: account_id
              type: keyword
              description: >
                The AWS account ID for the flow log.
            - name: interface_id
              type: keyword
              description: >
                The ID of the network interface for which the traffic is recorded.
            - name: action
              type: keyword
              description: >
                The action that is associated with the traffic, ACCEPT or REJECT.
            - name: log_status
              type: keyword
              description: >
                The logging status of the flow log, OK, NODATA or SKIPDATA.
            - name: instance_id
              type: keyword
              description: >
                The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you.
            - name: pkt_srcaddr
              type: ip
              description: >
                The packet-level (original) source IP address of the traffic.
            - name: pkt_dstaddr
              type: ip
              description: >
                The packet-level (original) destination IP address for the traffic.
            - name: vpc_id
              type: keyword
              description: >
                The ID of the VPC that contains the network interface for which the traffic is recorded.
            - name: subnet_id
              type: keyword
              description: >
                The ID of the subnet that contains the network interface for which the traffic is recorded.
            - name: tcp_flags
              type: keyword
              description: >
                The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST
            - name: tcp_flags_array
              type: keyword
              description: >
                List of TCP flags: 'fin, syn, rst, psh, ack, urg'
            - name: type
              type: keyword
              description: >
                The type of traffic: IPv4, IPv6, or EFA.
- key: awsfargate
  title: AWS Fargate
  release: beta
  description: >
    Module for collecting container logs from Amazon ECS Fargate.
  fields:
    - name: awsfargate
      type: group
      description: >
        Fields from Amazon ECS Fargate logs.
      fields:
        - name: log
          type: group
          release: beta
          description: >
            Fields for Amazon Fargate container logs.
          fields:
- key: azure
  title: "Azure"
  release: ga
  description: >
    Azure Module
  fields:
    - name: azure
      type: group
      description: >
      fields:
        - name: subscription_id
          type: keyword
          description: >
            Azure subscription ID
        - name: correlation_id
          type: keyword
          description: >
            Correlation ID
        - name: tenant_id
          type: keyword
          description: >
            tenant ID
        - name: resource
          type: group
          description: >
            Resource
          fields:
            - name: id
              type: keyword
              description: >
                Resource ID
            - name: group
              type: keyword
              description: >
                Resource group
            - name: provider
              type: keyword
              description: >
                Resource type/namespace
            - name: namespace
              type: keyword
              description: >
                Resource type/namespace
            - name: name
              type: keyword
              description: >
                Name
            - name: authorization_rule
              type: keyword
              description: >
                Authorization rule
        - name: activitylogs
          type: group
          release: ga
          description: >
            Fields for Azure activity logs.
          fields:
            - name: identity_name
              type: keyword
              description: identity name
            - name: identity
              type: group
              description: >
                Identity
              fields:
                - name: claims_initiated_by_user
                  type: group
                  description: >
                    Claims initiated by user
                  fields:
                    - name: name
                      type: keyword
                      description: >
                        Name
                    - name: givenname
                      type: keyword
                      description: >
                        Givenname
                    - name: surname
                      type: keyword
                      description: >
                        Surname
                    - name: fullname
                      type: keyword
                      description: >
                        Fullname
                    - name: schema
                      type: keyword
                      description: >
                        Schema
                - name: claims.*
                  type: object
                  object_type: keyword
                  object_type_mapping_type: "*"
                  description: >
                    Claims
                - name: authorization
                  type: group
                  description: >
                    Authorization
                  fields:
                    - name: scope
                      type: keyword
                      description: >
                        Scope
                    - name: action
                      type: keyword
                      description: >
                        Action
                    - name: evidence
                      type: group
                      description: >
                        Evidence
                      fields:
                        - name: role_assignment_scope
                          type: keyword
                          description: >
                            Role assignment scope
                        - name: role_definition_id
                          type: keyword
                          description: >
                            Role definition ID
                        - name: role
                          type: keyword
                          description: >
                            Role
                        - name: role_assignment_id
                          type: keyword
                          description: >
                            Role assignment ID
                        - name: principal_id
                          type: keyword
                          description: >
                            Principal ID
                        - name: principal_type
                          type: keyword
                          description: >
                            Principal type
            - name: tenant_id
              type: keyword
              description: >
                Tenant ID
            - name: level
              type: long
              description: >
                Level
            - name: operation_version
              type: keyword
              description: >
                Operation version
            - name: operation_name
              type: keyword
              description: >
                Operation name
            - name: result_type
              type: keyword
              description: >
                Result type
            - name: result_signature
              type: keyword
              description: >
                Result signature
            - name: category
              type: keyword
              description: >
                Category
            - name: event_category
              type: keyword
              description: >
                Event Category
            - name: properties
              type: flattened
              description: >
                Properties
        - name: auditlogs
          type: group
          release: ga
          description: >
            Fields for Azure audit logs.
          fields:
            - name: category
              type: keyword
              description: >
                The category of the operation.  Currently, Audit is the only supported value.
            - name: operation_name
              type: keyword
              description: >
                The operation name
            - name: operation_version
              type: keyword
              description: >
                The operation version
            - name: identity
              type: keyword
              description: >
                Identity
            - name: tenant_id
              type: keyword
              description: >
                Tenant ID
            - name: result_signature
              type: keyword
              description: >
                Result signature
            - name: properties
              type: group
              description: >
                The audit log properties
              fields:
                - name: result
                  type: keyword
                  description: >
                    Log result
                - name: activity_display_name
                  type: keyword
                  description: >
                    Activity display name
                - name: result_reason
                  type: keyword
                  description: >
                    Reason for the log result
                - name: correlation_id
                  type: keyword
                  description: >
                    Correlation ID
                - name: logged_by_service
                  type: keyword
                  description: >
                    Logged by service
                - name: operation_type
                  type: keyword
                  description: >
                    Operation type
                - name: id
                  type: keyword
                  description: >
                    ID
                - name: activity_datetime
                  type: date
                  description: >
                    Activity timestamp
                - name: category
                  type: keyword
                  description: >
                    category
                - name: target_resources.*
                  type: group
                  object_type_mapping_type: "*"
                  description: >
                    Target resources
                  fields:
                    - name: display_name
                      type: keyword
                      description: >
                        Display name
                    - name: id
                      type: keyword
                      description: >
                        ID
                    - name: type
                      type: keyword
                      description: >
                        Type
                    - name: ip_address
                      type: keyword
                      description: >
                         ip Address
                    - name: user_principal_name
                      type: keyword
                      description: >
                        User principal name
                    - name: modified_properties.*
                      type: group
                      object_type: keyword
                      object_type_mapping_type: "*"
                      description: >
                        Modified properties
                      fields:
                        - name: new_value
                          type: keyword
                          description: >
                            New value
                        - name: display_name
                          type: keyword
                          description: >
                            Display value
                        - name: old_value
                          type: keyword
                          description: >
                            Old value
                - name: initiated_by
                  type: group
                  description: >
                    Information regarding the initiator
                  fields:
                    - name: app
                      type: group
                      description: >
                        App
                      fields:
                        - name: servicePrincipalName
                          type: keyword
                          description: >
                            Service principal name
                        - name: displayName
                          type: keyword
                          description: >
                            Display name
                        - name: appId
                          type: keyword
                          description: >
                            App ID
                        - name: servicePrincipalId
                          type: keyword
                          description: >
                            Service principal ID
                    - name: user
                      type: group
                      description: >
                        User
                      fields:
                        - name: userPrincipalName
                          type: keyword
                          description: >
                            User principal name
                        - name: displayName
                          type: keyword
                          description: >
                            Display name
                        - name: id
                          type: keyword
                          description: >
                            ID
                        - name: ipAddress
                          type: keyword
                          description: >
                            ip Address
        
        
        
        
        - name: platformlogs
          type: group
          release: ga
          description: >
            Fields for Azure platform logs.
          fields:
            - name: operation_name
              type: keyword
              description: >
                Operation name
            - name: result_type
              type: keyword
              description: >
                Result type
            - name: result_signature
              type: keyword
              description: >
                Result signature
            - name: category
              type: keyword
              description: >
                Category
            - name: event_category
              type: keyword
              description: >
                Event Category
            - name: status
              type: keyword
              description: >
                Status
            - name: ccpNamespace
              type: keyword
              description: >
                ccpNamespace
            - name: Cloud
              type: keyword
              description: >
                Cloud
            - name: Environment
              type: keyword
              description: >
                Environment
            - name: EventTimeString
              type: keyword
              description: >
                EventTimeString
            - name: Caller
              type: keyword
              description: >
                Caller
            - name: ScaleUnit
              type: keyword
              description: >
                ScaleUnit
            - name: ActivityId
              type: keyword
              description: >
                ActivityId
            - name: properties
              type: flattened
              description: >
                Event inner properties
        - name: signinlogs
          type: group
          release: ga
          description: >
            Fields for Azure sign-in logs.
          fields:
            - name: operation_name
              type: keyword
              description: |
                The operation name
            - name: operation_version
              type: keyword
              description: |
                The operation version
            - name: tenant_id
              type: keyword
              description: |
                Tenant ID
            - name: result_signature
              type: keyword
              description: |
                Result signature
            - name: result_description
              type: keyword
              description: |
                Result description
            - name: result_type
              type: keyword
              description: |
                Result type
            - name: identity
              type: keyword
              description: |
                Identity
            - name: category
              type: keyword
              description: |
                Category
            - name: properties
              type: group
              # See https://docs.microsoft.com/en-au/graph/api/resources/signin
              fields:
                - name: id
                  type: keyword
                  description: |
                    Unique ID representing the sign-in activity.
                - name: created_at
                  type: date
                  description: |
                    Date and time (UTC) the sign-in was initiated.
                - name: user_display_name
                  type: keyword
                  description: |
                    User display name
                - name: correlation_id
                  type: keyword
                  description: |
                    Correlation ID
                - name: user_principal_name
                  type: keyword
                  description: |
                    User principal name
                - name: user_id
                  type: keyword
                  description: |
                    User ID
                - name: app_id
                  type: keyword
                  description: |
                    App ID
                - name: app_display_name
                  type: keyword
                  description: |
                    App display name
                - name: autonomous_system_number
                  type: long
                  description: Autonomous system number.
                - name: client_app_used
                  type: keyword
                  description: |
                    Client app used
                - name: conditional_access_status
                  type: keyword
                  description: |
                    Conditional access status
                - name: original_request_id
                  type: keyword
                  description: |
                    Original request ID
                - name: is_interactive
                  type: boolean
                  description: |
                    Is interactive
                - name: token_issuer_name
                  type: keyword
                  description: |
                    Token issuer name
                - name: token_issuer_type
                  type: keyword
                  description: |
                    Token issuer type
                - name: processing_time_ms
                  type: float
                  description: |
                    Processing time in milliseconds
                - name: risk_detail
                  type: keyword
                  description: |
                    Risk detail
                - name: risk_level_aggregated
                  type: keyword
                  description: |
                    Risk level aggregated
                - name: risk_level_during_signin
                  type: keyword
                  description: |
                    Risk level during signIn
                - name: risk_state
                  type: keyword
                  description: |
                    Risk state
                - name: resource_display_name
                  type: keyword
                  description: |
                    Resource display name
                - name: status
                  type: group
                  fields:
                    - name: error_code
                      type: long
                      description: |
                        Error code
                - name: device_detail
                  type: group
                  fields:
                    - name: device_id
                      type: keyword
                      description: |
                        Device ID
                    - name: operating_system
                      type: keyword
                      description: |
                        Operating system
                    - name: browser
                      type: keyword
                      description: |
                        Browser
                    - name: display_name
                      type: keyword
                      description: |
                        Display name
                    - name: trust_type
                      type: keyword
                      description: |
                        Trust type
                    - name: is_compliant
                      type: boolean
                      description: |
                        If the device is compliant
                    - name: is_managed
                      type: boolean
                      description: |
                        If the device is managed
                - name: applied_conditional_access_policies
                  type: array
                  description: |
                    A list of conditional access policies that are triggered by the corresponding sign-in activity.
                - name: authentication_details
                  type: array
                  description: |
                    The result of the authentication attempt and additional details on the authentication method.
                - name: authentication_processing_details
                  type: flattened
                  description: |
                    Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication.
                - name: authentication_protocol
                  type: keyword
                  description: |
                    Authentication protocol type.
                - name: incoming_token_type
                  type: keyword
                  description: |
                    Incoming token type.
                - name: unique_token_identifier
                  type: keyword
                  description: Unique token identifier for the request.
                - name: authentication_requirement
                  type: keyword
                  description: |
                    This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.
                - name: authentication_requirement_policies
                  type: flattened
                  description: |
                    Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user
                - name: flagged_for_review
                  type: boolean
                - name: home_tenant_id
                  type: keyword
                - name: network_location_details
                  type: array
                  description: The network location details including the type of network used and its names.
                - name: resource_id
                  type: keyword
                  description: The identifier of the resource that the user signed in to.
                - name: resource_tenant_id
                  type: keyword
                - name: risk_event_types
                  type: keyword
                  description: |
                    The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
                - name: risk_event_types_v2
                  type: keyword
                  description: |
                    The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
                - name: service_principal_name
                  type: keyword
                  description: |
                    The application name used for sign-in. This field is populated when you are signing in using an application.
                - name: user_type
                  type: keyword
                - name: service_principal_id
                  type: keyword
                  description: |
                    The application identifier used for sign-in. This field is populated when you are signing in using an application.
                - name: cross_tenant_access_type
                  type: keyword
                - name: is_tenant_restricted
                  type: boolean
                - name: sso_extension_version
                  type: keyword
- key: barracuda
  title: Barracuda Web Application Firewall
  description: >
    barracuda fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: bluecoat
  title: Blue Coat Director
  description: >
    bluecoat fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: cef-module
  title: CEF
  description: >
    Module for receiving CEF logs over Syslog. The module adds vendor
    specific fields in addition to the fields the decode_cef processor
    provides.
  fields:
        - name: forcepoint
          type: group
          description: >
            Fields for Forcepoint Custom String mappings
          fields:
            - name: virus_id
              type: keyword
              description: >
                Virus ID
        
        
        - name: checkpoint
          type: group
          description: >
            Fields for Check Point custom string mappings.
          fields:
            - name: app_risk
              type: keyword
              overwrite: true
              description: Application risk.
        
            - name: app_severity
              type: keyword
              overwrite: true
              description: Application threat severity.
        
            - name: app_sig_id
              type: keyword
              overwrite: true
              description: The signature ID which the application was detected by.
        
            - name: auth_method
              type: keyword
              overwrite: true
              description: Password authentication protocol used.
        
            - name: category
              type: keyword
              overwrite: true
              description: Category.
        
            - name: confidence_level
              type: integer
              overwrite: true
              description: Confidence level determined.
        
            - name: connectivity_state
              type: keyword
              overwrite: true
              description: Connectivity state.
        
            - name: cookie
              type: keyword
              overwrite: true
              description: IKE cookie.
        
            - name: dst_phone_number
              type: keyword
              overwrite: true
              description: Destination IP-Phone.
        
            - name: email_control
              type: keyword
              overwrite: true
              description: Engine name.
        
            - name: email_id
              type: keyword
              overwrite: true
              description: Internal email ID.
        
            - name: email_recipients_num
              type: long
              overwrite: true
              description: Number of recipients.
        
            - name: email_session_id
              type: keyword
              overwrite: true
              description: Internal email session ID.
        
            - name: email_spool_id
              overwrite: true
              type: keyword
        
              description: Internal email spool ID.
        
            - name: email_subject
              type: keyword
              overwrite: true
              description: Email subject.
        
            - name: event_count
              type: long
              overwrite: true
              description: Number of events associated with the log.
        
            - name: frequency
              type: keyword
              overwrite: true
              description: Scan frequency.
        
            - name: icmp_type
              type: long
              overwrite: true
              description: ICMP type.
        
            - name: icmp_code
              type: long
              overwrite: true
              description: ICMP code.
        
            - name: identity_type
              type: keyword
              overwrite: true
              description: Identity type.
        
            - name: incident_extension
              type: keyword
              overwrite: true
              description: Format of original data.
        
            - name: integrity_av_invoke_type
              type: keyword
              overwrite: true
              description: Scan invoke type.
        
            - name: malware_family
              type: keyword
              overwrite: true
              description: Malware family.
        
            - name: peer_gateway
              type: ip
              overwrite: true
              description: Main IP of the peer Security Gateway.
        
            - name: performance_impact
              type: integer
              overwrite: true
              description: Protection performance impact.
        
            - name: protection_id
              type: keyword
              overwrite: true
              description: Protection malware ID.
        
            - name: protection_name
              type: keyword
              overwrite: true
              description: Specific signature name of the attack.
        
            - name: protection_type
              type: keyword
              overwrite: true
              description: Type of protection used to detect the attack.
        
            - name: scan_result
              type: keyword
              overwrite: true
              description: Scan result.
        
            - name: sensor_mode
              type: keyword
              overwrite: true
              description: Sensor mode.
        
            - name: severity
              type: keyword
              overwrite: true
              description: Threat severity.
        
            - name: spyware_name
              type: keyword
              overwrite: true
              description: Spyware name.
        
            - name: spyware_status
              type: keyword
              overwrite: true
              description: Spyware status.
        
            - name: subs_exp
              type: date
              overwrite: true
              description: The expiration date of the subscription.
        
            - name: tcp_flags
              type: keyword
              overwrite: true
              description: TCP packet flags.
        
            - name: termination_reason
              type: keyword
              overwrite: true
              description: Termination reason.
        
            - name: update_status
              type: keyword
              overwrite: true
              description: Update status.
        
            - name: user_status
              type: keyword
              overwrite: true
              description: User response.
        
            - name: uuid
              type: keyword
              overwrite: true
              description: External ID.
        
            - name: virus_name
              type: keyword
              overwrite: true
              description: Virus name.
        
            - name: voip_log_type
              type: keyword
              overwrite: true
              description: VoIP log types.
        
        - name: cef.extensions
          type: group
          description: >
            Extra vendor-specific extensions.
          fields:
        
            - name: cp_app_risk
              type: keyword
        
            - name: cp_severity
              type: keyword
        
            - name: ifname
              type: keyword
        
            - name: inzone
              type: keyword
        
            - name: layer_uuid
              type: keyword
        
            - name: layer_name
              type: keyword
        
            - name: logid
              type: keyword
        
            - name: loguid
              type: keyword
        
            - name: match_id
              type: keyword
        
            - name: nat_addtnl_rulenum
              type: keyword
        
            - name: nat_rulenum
              type: keyword
        
            - name: origin
              type: keyword
        
            - name: originsicname
              type: keyword
        
            - name: outzone
              type: keyword
        
            - name: parent_rule
              type: keyword
        
            - name: product
              type: keyword
        
            - name: rule_action
              type: keyword
        
            - name: rule_uid
              type: keyword
        
            - name: sequencenum
              type: keyword
        
            - name: service_id
              type: keyword
        
            - name: version
              type: keyword
- key: checkpoint
  title: Checkpoint
  description: >
    Some checkpoint module
  fields:
        - name: checkpoint
          type: group
          release: ga
          description: >
            Module for parsing Checkpoint syslog.
          fields:
            - name: confidence_level
              type: integer
              overwrite: true
              description: >
                Confidence level determined by ThreatCloud.
        
            - name: calc_desc
              type: keyword
              overwrite: true
              description: >
                Log description.
        
            - name: dst_country
              type: keyword
              overwrite: true
              description: >
                Destination country.
        
            - name: dst_user_name
              type: keyword
              overwrite: true
              description: >
                Connected user name on the destination IP.
        
            - name: email_id
              type: keyword
              overwrite: true
              description: >
                Email number in smtp connection.
        
            - name: email_subject
              type: keyword
              overwrite: true
              description: >
                Original email subject.
        
            - name: email_session_id
              type: keyword
              overwrite: true
              description: >
                Connection uuid.
        
            - name: event_count
              type: long
              overwrite: true
              description: >
                Number of events associated with the log.
        
            - name: sys_message
              type: keyword
              overwrite: true
              description: >
                System messages
        
            - name: logid
              type: keyword
              overwrite: true
              description: >
                System messages
        
            - name: failure_impact
              type: keyword
              overwrite: true
              description: >
                The impact of update service failure.
        
            - name: id
              type: integer
              overwrite: true
              description: >
                Override application ID.
        
            - name: identity_src
              type: keyword
              description: >
                The source for authentication identity information.
        
            - name: information
              type: keyword
              overwrite: true
              description: >
                Policy installation status for a specific blade.
        
            - name: layer_name
              type: keyword
              overwrite: true
              description: >
                Layer name.
        
            - name: layer_uuid
              type: keyword
              overwrite: true
              description: >
                Layer UUID.
        
            - name: log_id
              type: integer
              overwrite: true
              description: >
                Unique identity for logs.
        
            - name: malware_family
              type: keyword
              overwrite: true
              description: >
                Additional information on protection.
        
            - name: origin_sic_name
              type: keyword
              overwrite: true
              description: >
                Machine SIC.
        
            - name: policy_mgmt
              type: keyword
              overwrite: true
              description: >
                Name of the Management Server that manages this Security Gateway.
        
            - name: policy_name
              type: keyword
              overwrite: true
              description: >
                Name of the last policy that this Security Gateway fetched.
        
            - name: protection_id
              type: keyword
              overwrite: true
              description: >
                Protection malware id.
        
            - name: protection_name
              type: keyword
              overwrite: true
              description: >
                Specific signature name of the attack.
        
            - name: protection_type
              type: keyword
              overwrite: true
              description: >
                Type of protection used to detect the attack.
        
            - name: protocol
              type: keyword
              overwrite: true
              description: >
                Protocol detected on the connection.
        
            - name: proxy_src_ip
              type: ip
              overwrite: true
              description: >
                Sender source IP (even when using proxy).
        
            - name: rule
              type: integer
              overwrite: true
              description: >
                Matched rule number.
        
            - name: rule_action
              type: keyword
              overwrite: true
              description: >
                Action of the matched rule in the access policy.
        
            - name: scan_direction
              type: keyword
              overwrite: true
              description: >
                Scan direction.
        
            - name: session_id
              type: keyword
              overwrite: true
              description: >
                Log uuid.
        
            - name: source_os
              type: keyword
              overwrite: true
              description: >
                OS which generated the attack.
        
            - name: src_country
              type: keyword
              overwrite: true
              description: >
                Country name, derived from connection source IP address.
        
            - name: src_user_name
              type: keyword
              overwrite: true
              description: >
                User name connected to source IP
        
            - name: ticket_id
              type: keyword
              overwrite: true
              description: >
                Unique ID per file.
        
            - name: tls_server_host_name
              type: keyword
              overwrite: true
              description: >
                SNI/CN from encrypted TLS connection used by URLF for categorization.
        
            - name: verdict
              type: keyword
              overwrite: true
              description: >
                TE engine verdict Possible values: Malicious/Benign/Error.
        
            - name: user
              type: keyword
              overwrite: true
              description: >
                Source user name.
        
            - name: vendor_list
              type: keyword
              overwrite: true
              description: >
                The vendor name that provided the verdict for a malicious URL.
        
            - name: web_server_type
              type: keyword
              overwrite: true
              description: >
                Web server detected in the HTTP response.
        
            - name: client_name
              type: keyword
              overwrite: true
              description: >
                Client Application or Software Blade that detected the event.
        
            - name: client_version
              type: keyword
              overwrite: true
              description: >
                Build version of SandBlast Agent client installed on the computer.
        
            - name: extension_version
              type: keyword
              overwrite: true
              description: >
                Build version of the SandBlast Agent browser extension.
        
            - name: host_time
              type: keyword
              overwrite: true
              description: >
                Local time on the endpoint computer.
        
            - name: installed_products
              type: keyword
              overwrite: true
              description: >
                List of installed Endpoint Software Blades.
        
            - name: cc
              type: keyword
              overwrite: true
              description: >
                The Carbon Copy address of the email.
        
            - name: parent_process_username
              type: keyword
              overwrite: true
              description: >
                Owner username of the parent process of the process that triggered the attack.
        
            - name: process_username
              type: keyword
              overwrite: true
              description: >
                Owner username of the process that triggered the attack.
        
            - name: audit_status
              type: keyword
              overwrite: true
              description: >
                Audit Status. Can be Success or Failure.
        
            - name: objecttable
              type: keyword
              overwrite: true
              description: >
                Table of affected objects.
        
            - name: objecttype
              type: keyword
              overwrite: true
              description: >
                The type of the affected object.
        
            - name: operation_number
              type: keyword
              overwrite: true
              description: >
                The operation nuber.
        
            - name: email_recipients_num
              type: integer
              overwrite: true
              description: >
                Amount of recipients whom the mail was sent to.
        
            - name: suppressed_logs
              type: integer
              overwrite: true
              description: >
                Aggregated connections for five minutes on the same source, destination and port.
        
            - name: blade_name
              type: keyword
              overwrite: true
              description: >
                Blade name.
        
            - name: status
              type: keyword
              overwrite: true
              description: >
                Ok/Warning/Error.
        
            - name: short_desc
              type: keyword
              overwrite: true
              description: >
                Short description of the process that was executed.
        
            - name: long_desc
              type: keyword
              overwrite: true
              description: >
                More information on the process (usually describing error reason in failure).
        
            - name: scan_hosts_hour
              type: integer
              overwrite: true
              description: >
                Number of unique hosts during the last hour.
        
            - name: scan_hosts_day
              type: integer
              overwrite: true
              description: >
                Number of unique hosts during the last day.
        
            - name: scan_hosts_week
              type: integer
              overwrite: true
              description: >
                Number of unique hosts during the last week.
        
            - name: unique_detected_hour
              type: integer
              overwrite: true
              description: >
                Detected virus for a specific host during the last hour.
        
            - name: unique_detected_day
              type: integer
              overwrite: true
              description: >
                Detected virus for a specific host during the last day.
        
            - name: unique_detected_week
              type: integer
              overwrite: true
              description: >
                Detected virus for a specific host during the last week.
        
            - name: scan_mail
              type: integer
              overwrite: true
              description: >
                Number of emails that were scanned by "AB malicious activity" engine.
        
            - name: additional_ip
              type: keyword
              overwrite: true
              description: >
                DNS host name.
        
            - name: description
              type: keyword
              overwrite: true
              description: >
                Additional explanation how the security gateway enforced the connection.
        
            - name: email_spam_category
              type: keyword
              overwrite: true
              description: >
                Email categories. Possible values: spam/not spam/phishing.
        
            - name: email_control_analysis
              type: keyword
              overwrite: true
              description: >
                Message classification, received from spam vendor engine.
        
            - name: scan_results
              type: keyword
              overwrite: true
              description: >
                "Infected"/description of a failure.
        
            - name: original_queue_id
              type: keyword
              overwrite: true
              description: >
                Original postfix email queue id.
        
            - name: risk
              type: keyword
              overwrite: true
              description: >
                Risk level we got from the engine.
        
            - name: roles
              type: keyword
              description: >
                The role of identity.
        
            - name: observable_name
              type: keyword
              overwrite: true
              description: >
                IOC observable signature name.
        
            - name: observable_id
              type: keyword
              overwrite: true
              description: >
                IOC observable signature id.
        
            - name: observable_comment
              type: keyword
              overwrite: true
              description: >
                IOC observable signature description.
        
            - name: indicator_name
              type: keyword
              overwrite: true
              description: >
                IOC indicator name.
        
            - name: indicator_description
              type: keyword
              overwrite: true
              description: >
                IOC indicator description.
        
            - name: indicator_reference
              type: keyword
              overwrite: true
              description: >
                IOC indicator reference.
        
            - name: indicator_uuid
              type: keyword
              overwrite: true
              description: >
                IOC indicator uuid.
        
            - name: app_desc
              type: keyword
              overwrite: true
              description: >
                Application description.
        
            - name: app_id
              type: integer
              overwrite: true
              description: >
                Application ID.
        
            - name: app_sig_id
              type: keyword
              overwrite: true
              description: >
                IOC indicator description.
        
            - name: certificate_resource
              type: keyword
              overwrite: true
              description: >
                HTTPS resource Possible values: SNI or domain name (DN).
        
            - name: certificate_validation
              type: keyword
              overwrite: true
              description: >
                Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.
        
            - name: browse_time
              type: keyword
              overwrite: true
              description: >
                Application session browse time.
        
            - name: limit_requested
              type: integer
              overwrite: true
              description: >
                Indicates whether data limit was requested for the session.
        
            - name: limit_applied
              type: integer
              overwrite: true
              description: >
                Indicates whether the session was actually date limited.
        
            - name: dropped_total
              type: integer
              overwrite: true
              description: >
                Amount of dropped packets (both incoming and outgoing).
        
            - name: client_type_os
              type: keyword
              overwrite: true
              description: >
                Client OS detected in the HTTP request.
        
            - name: name
              type: keyword
              overwrite: true
              description: >
                Application name.
        
            - name: properties
              type: keyword
              overwrite: true
              description: >
                Application categories.
        
            - name: sig_id
              type: keyword
              overwrite: true
              description: >
                Application's signature ID which how it was detected by.
        
            - name: desc
              type: keyword
              overwrite: true
              description: >
                Override application description.
        
            - name: referrer_self_uid
              type: keyword
              overwrite: true
              description: >
                UUID of the current log.
        
            - name: referrer_parent_uid
              type: keyword
              overwrite: true
              description: >
                Log UUID of the referring application.
        
            - name: needs_browse_time
              type: integer
              overwrite: true
              description: >
                Browse time required for the connection.
        
            - name: cluster_info
              type: keyword
              overwrite: true
              description: >
                Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.
        
            - name: sync
              type: keyword
              overwrite: true
              description: >
                Sync status and the reason (stable, at risk).
        
            - name: file_direction
              type: keyword
              overwrite: true
              description: >
                File direction. Possible options: upload/download.
        
            - name: invalid_file_size
              type: integer
              overwrite: true
              description: >
                File_size field is valid only if this field is set to 0.
        
            - name: top_archive_file_name
              type: keyword
              overwrite: true
              description: >
                In case of archive file: the file that was sent/received.
        
            - name: data_type_name
              type: keyword
              overwrite: true
              description: >
                Data type in rulebase that was matched.
        
            - name: specific_data_type_name
              type: keyword
              overwrite: true
              description: >
                Compound/Group scenario, data type that was matched.
        
            - name: word_list
              type: keyword
              overwrite: true
              description: >
                Words matched by data type.
        
            - name: info
              type: keyword
              overwrite: true
              description: >
                Special log message.
        
            - name: outgoing_url
              type: keyword
              overwrite: true
              description: >
                URL related to this log (for HTTP).
        
            - name: dlp_rule_name
              type: keyword
              overwrite: true
              description: >
                Matched rule name.
        
            - name: dlp_recipients
              type: keyword
              overwrite: true
              description: >
                Mail recipients.
        
            - name: dlp_subject
              type: keyword
              overwrite: true
              description: >
                Mail subject.
        
            - name: dlp_word_list
              type: keyword
              overwrite: true
              description: >
                Phrases matched by data type.
        
            - name: dlp_template_score
              type: keyword
              overwrite: true
              description: >
                Template data type match score.
        
            - name: message_size
              type: integer
              overwrite: true
              description: >
                Mail/post size.
        
            - name: dlp_incident_uid
              type: keyword
              overwrite: true
              description: >
                Unique ID of the matched rule.
        
            - name: dlp_related_incident_uid
              type: keyword
              overwrite: true
              description: >
                Other ID related to this one.
        
            - name: dlp_data_type_name
              type: keyword
              overwrite: true
              description: >
                Matched data type.
        
            - name: dlp_data_type_uid
              type: keyword
              overwrite: true
              description: >
                Unique ID of the matched data type.
        
            - name: dlp_violation_description
              type: keyword
              overwrite: true
              description: >
                Violation descriptions described in the rulebase.
        
            - name: dlp_relevant_data_types
              type: keyword
              overwrite: true
              description: >
                In case of Compound/Group: the inner data types that were matched.
        
            - name: dlp_action_reason
              type: keyword
              overwrite: true
              description: >
                Action chosen reason.
        
            - name: dlp_categories
              type: keyword
              overwrite: true
              description: >
                Data type category.
        
            - name: dlp_transint
              type: keyword
              overwrite: true
              description: >
                HTTP/SMTP/FTP.
        
            - name: duplicate
              type: keyword
              overwrite: true
              description: >
                Log marked as duplicated, when mail is split and the Security Gateway sees it twice.
        
            - name: incident_extension
              type: keyword
              overwrite: true
              description: >
                Matched data type.
        
            - name: matched_file
              type: keyword
              overwrite: true
              description: >
                Unique ID of the matched data type.
        
            - name: matched_file_text_segments
              type: integer
              overwrite: true
              description: >
                Fingerprint: number of text segments matched by this traffic.
        
            - name: matched_file_percentage
              type: integer
              overwrite: true
              description: >
                Fingerprint: match percentage of the traffic.
        
            - name: dlp_additional_action
              type: keyword
              overwrite: true
              description: >
                Watermark/None.
        
            - name: dlp_watermark_profile
              type: keyword
              overwrite: true
              description: >
                Watermark which was applied.
        
            - name: dlp_repository_id
              type: keyword
              overwrite: true
              description: >
                ID of scanned repository.
        
            - name: dlp_repository_root_path
              type: keyword
              overwrite: true
              description: >
                Repository path.
        
            - name: scan_id
              type: keyword
              overwrite: true
              description: >
                Sequential number of scan.
        
            - name: special_properties
              type: integer
              overwrite: true
              description: >
                If this field is set to '1' the log will not be shown (in use for monitoring scan progress).
        
            - name: dlp_repository_total_size
              type: integer
              overwrite: true
              description: >
                Repository size.
        
            - name: dlp_repository_files_number
              type: integer
              overwrite: true
              description: >
                Number of files in repository.
        
            - name: dlp_repository_scanned_files_number
              type: integer
              overwrite: true
              description: >
                Number of scanned files in repository.
        
            - name: duration
              type: keyword
              overwrite: true
              description: >
                Scan duration.
        
            - name: dlp_fingerprint_long_status
              type: keyword
              overwrite: true
              description: >
                Scan status - long format.
        
            - name: dlp_fingerprint_short_status
              type: keyword
              overwrite: true
              description: >
                Scan status - short format.
        
            - name: dlp_repository_directories_number
              type: integer
              overwrite: true
              description: >
                Number of directories in repository.
        
            - name: dlp_repository_unreachable_directories_number
              type: integer
              overwrite: true
              description: >
                Number of directories the Security Gateway was unable to read.
        
            - name: dlp_fingerprint_files_number
              type: integer
              overwrite: true
              description: >
                Number of successfully scanned files in repository.
        
            - name: dlp_repository_skipped_files_number
              type: integer
              overwrite: true
              description: >
                Skipped number of files because of configuration.
        
            - name: dlp_repository_scanned_directories_number
              type: integer
              overwrite: true
              description: >
                Amount of directories scanned.
        
            - name: number_of_errors
              type: integer
              overwrite: true
              description: >
                Number of files that were not  scanned due to an error.
        
            - name: next_scheduled_scan_date
              type: keyword
              overwrite: true
              description: >
                Next scan scheduled time according to time object.
        
            - name: dlp_repository_scanned_total_size
              type: integer
              overwrite: true
              description: >
                Size scanned.
        
            - name: dlp_repository_reached_directories_number
              type: integer
              overwrite: true
              description: >
                Number of scanned directories in repository.
        
            - name: dlp_repository_not_scanned_directories_percentage
              type: integer
              overwrite: true
              description: >
                Percentage of directories the Security Gateway was unable to read.
        
            - name: speed
              type: integer
              overwrite: true
              description: >
                Current scan speed.
        
            - name: dlp_repository_scan_progress
              type: integer
              overwrite: true
              description: >
                Scan percentage.
        
            - name: sub_policy_name
              type: keyword
              overwrite: true
              description: >
                Layer name.
        
            - name: sub_policy_uid
              type: keyword
              overwrite: true
              description: >
                Layer uid.
        
            - name: fw_message
              type: keyword
              overwrite: true
              description: >
                Used for various firewall errors.
        
            - name: message
              type: keyword
              overwrite: true
              description: >
                ISP link has failed.
        
            - name: isp_link
              type: keyword
              overwrite: true
              description: >
                Name of ISP link.
        
            - name: fw_subproduct
              type: keyword
              overwrite: true
              description: >
                Can be vpn/non vpn.
        
            - name: sctp_error
              type: keyword
              overwrite: true
              description: >
                Error information, what caused sctp to fail on out_of_state.
        
            - name: chunk_type
              type: keyword
              overwrite: true
              description: >
                Chunck of the sctp stream.
        
            - name: sctp_association_state
              type: keyword
              overwrite: true
              description: >
                The bad state you were trying to update to.
        
            - name: tcp_packet_out_of_state
              type: keyword
              overwrite: true
              description: >
                State violation.
        
            - name: tcp_flags
              type: keyword
              overwrite: true
              description: >
                TCP packet flags (SYN, ACK, etc.,).
        
            - name: connectivity_level
              type: keyword
              overwrite: true
              description: >
                Log for a new connection in wire mode.
        
            - name: ip_option
              type: integer
              overwrite: true
              description: >
                IP option that was dropped.
        
            - name: tcp_state
              type: keyword
              overwrite: true
              description: >
                Log reinting a tcp state change.
        
            - name: expire_time
              type: keyword
              overwrite: true
              description: >
                Connection closing time.
        
            - name: icmp_type
              type: integer
              overwrite: true
              description: >
                In case a connection is ICMP, type info will be added to the log.
        
            - name: icmp_code
              type: integer
              overwrite: true
              description: >
                  In case a connection is ICMP, code info will be added to the log.
        
            - name: rpc_prog
              type: integer
              overwrite: true
              description: >
                Log for new RPC state - prog values.
        
            - name: dce-rpc_interface_uuid
              type: keyword
              overwrite: true
              description: >
                Log for new RPC state - UUID values
        
            - name: elapsed
              type: keyword
              overwrite: true
              description: >
                Time passed since start time.
        
            - name: icmp
              type: keyword
              overwrite: true
              description: >
                Number of packets, received by the client.
        
            - name: capture_uuid
              type: keyword
              overwrite: true
              description: >
                UUID generated for the capture. Used when enabling the capture when logging.
        
            - name: diameter_app_ID
              type: integer
              overwrite: true
              description: >
                The ID of diameter application.
        
            - name: diameter_cmd_code
              type: integer
              overwrite: true
              description: >
                  Diameter not allowed application command id.
        
            - name: diameter_msg_type
              type: keyword
              overwrite: true
              description: >
                Diameter message type.
        
            - name: cp_message
              type: integer
              overwrite: true
              description: >
                  Used to log a general message.
        
            - name: log_delay
              type: integer
              overwrite: true
              description: >
                Time left before deleting template.
        
            - name: attack_status
              type: keyword
              overwrite: true
              description: >
                In case of a malicious event on an endpoint computer, the status of the attack.
        
            - name: impacted_files
              type: keyword
              overwrite: true
              description: >
                In case of an infection on an endpoint computer, the list of files that the malware impacted.
        
            - name: remediated_files
              type: keyword
              overwrite: true
              description: >
                In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.
        
            - name: triggered_by
              type: keyword
              overwrite: true
              description: >
                The name of the mechanism that triggered the Software Blade to enforce a protection.
        
            - name: https_inspection_rule_id
              type: keyword
              overwrite: true
              description: >
                ID of the matched rule.
        
            - name: https_inspection_rule_name
              type: keyword
              overwrite: true
              description: >
                  Name of the matched rule.
        
            - name: app_properties
              type: keyword
              overwrite: true
              description: >
                List of all found categories.
        
            - name: https_validation
              type: keyword
              overwrite: true
              description: >
                Precise error, describing HTTPS inspection failure.
        
            - name: https_inspection_action
              type: keyword
              overwrite: true
              description: >
                HTTPS inspection action (Inspect/Bypass/Error).
        
            - name: icap_service_id
              type: integer
              overwrite: true
              description: >
                Service ID, can work with multiple servers, treated as services.
        
            - name: icap_server_name
              type: keyword
              overwrite: true
              description: >
                Server name.
        
            - name: internal_error
              type: keyword
              overwrite: true
              description: >
                Internal error, for troubleshooting
        
            - name: icap_more_info
              type: integer
              overwrite: true
              description: >
                 Free text for verdict.
        
            - name: reply_status
              type: integer
              overwrite: true
              description: >
                ICAP reply status code, e.g. 200 or 204.
        
            - name: icap_server_service
              type: keyword
              overwrite: true
              description: >
                Service name, as given in the ICAP URI
        
            - name: mirror_and_decrypt_type
              type: keyword
              overwrite: true
              description: >
                Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).
        
            - name: interface_name
              type: keyword
              overwrite: true
              description: >
                Designated interface for mirror And decrypt.
        
            - name: session_uid
              type: keyword
              overwrite: true
              description: >
                HTTP session-id.
        
            - name: broker_publisher
              type: ip
              overwrite: true
              description: >
                 IP address of the broker publisher who shared the session information.
        
            - name: src_user_dn
              type: keyword
              overwrite: true
              description: >
                User distinguished name connected to source IP.
        
            - name: proxy_user_name
              type: keyword
              overwrite: true
              description: >
                 User name connected to proxy IP.
        
            - name: proxy_machine_name
              type: integer
              overwrite: true
              description: >
                Machine name connected to proxy IP.
        
            - name: proxy_user_dn
              type: keyword
              overwrite: true
              description: >
                User distinguished name connected to proxy IP.
        
            - name: query
              type: keyword
              overwrite: true
              description: >
                DNS query.
        
            - name: dns_query
              type: keyword
              overwrite: true
              description: >
                DNS query.
        
            - name: inspection_item
              type: keyword
              overwrite: true
              description: >
                Blade element performed inspection.
        
            - name: performance_impact
              type: integer
              overwrite: true
              description: >
                 Protection performance impact.
        
            - name: inspection_category
              type: keyword
              overwrite: true
              description: >
                 Inspection category: protocol anomaly, signature etc.
        
            - name: inspection_profile
              type: keyword
              overwrite: true
              description: >
                Profile which the activated protection belongs to.
        
            - name: summary
              type: keyword
              overwrite: true
              description: >
                 Summary message of a non-compliant DNS traffic drops or detects.
        
            - name: question_rdata
              type: keyword
              overwrite: true
              description: >
                List of question records domains.
        
            - name: answer_rdata
              type: keyword
              overwrite: true
              description: >
                List of answer resource records to the questioned domains.
        
            - name: authority_rdata
              type: keyword
              overwrite: true
              description: >
                List of authoritative servers.
        
            - name: additional_rdata
              type: keyword
              overwrite: true
              description: >
                List of additional resource records.
        
            - name: files_names
              type: keyword
              overwrite: true
              description: >
                List of files requested by FTP.
        
            - name: ftp_user
              type: keyword
              overwrite: true
              description: >
                FTP username.
        
            - name: mime_from
              type: keyword
              overwrite: true
              description: >
                 Sender's address.
        
            - name: mime_to
              type: keyword
              overwrite: true
              description: >
                List of receiver address.
        
            - name: bcc
              type: keyword
              overwrite: true
              description: >
                List of BCC addresses.
        
            - name: content_type
              type: keyword
              overwrite: true
              description: >
                Mail content type. Possible values: application/msword, text/html, image/gif etc.
        
            - name: user_agent
              type: keyword
              overwrite: true
              description: >
                String identifying requesting software user agent.
        
            - name: referrer
              type: keyword
              overwrite: true
              description: >
                Referrer HTTP request header, previous web page address.
        
            - name: http_location
              type: keyword
              overwrite: true
              description: >
                Response header, indicates the URL to redirect a page to.
        
            - name: content_disposition
              type: keyword
              overwrite: true
              description: >
                Indicates how the content is expected to be displayed inline in the browser.
        
            - name: via
              type: keyword
              overwrite: true
              description: >
                Via header is added by proxies for tracking purposes to avoid sending reqests in loop.
        
            - name: http_server
              type: keyword
              overwrite: true
              description: >
                Server HTTP header value, contains information about the software used by the origin server, which handles the request.
        
            - name: content_length
              type: keyword
              overwrite: true
              description: >
                 Indicates the size of the entity-body of the HTTP header.
        
            - name: authorization
              type: keyword
              overwrite: true
              description: >
                Authorization HTTP header value.
        
            - name: http_host
              type: keyword
              overwrite: true
              description: >
                Domain name of the server that the HTTP request is sent to.
        
            - name: inspection_settings_log
              type: keyword
              overwrite: true
              description: >
                Indicats that the log was released by inspection settings.
        
            - name: cvpn_resource
              type: keyword
              overwrite: true
              description: >
                Mobile Access application.
        
            - name: cvpn_category
              type: keyword
              overwrite: true
              description: >
                Mobile Access application type.
        
            - name: url
              type: keyword
              overwrite: true
              description: >
                Translated URL.
        
            - name: reject_id
              type: keyword
              overwrite: true
              description: >
                A reject ID that corresponds to the one presented in the Mobile Access error page.
        
            - name: fs-proto
              type: keyword
              overwrite: true
              description: >
                The file share protocol used in mobile acess file share application.
        
            - name: app_package
              type: keyword
              overwrite: true
              description: >
                Unique identifier of the application on the protected mobile device.
        
            - name: appi_name
              type: keyword
              overwrite: true
              description: >
                Name of application downloaded on the protected mobile device.
        
            - name: app_repackaged
              type: keyword
              overwrite: true
              description: >
                Indicates whether the original application was repackage not by the official developer.
        
            - name: app_sid_id
              type: keyword
              overwrite: true
              description: >
                Unique SHA identifier of a mobile application.
        
            - name: app_version
              type: keyword
              overwrite: true
              description: >
                Version of the application downloaded on the protected mobile device.
        
            - name: developer_certificate_name
              type: keyword
              overwrite: true
              description: >
                Name of the developer's certificate that was used to sign the mobile application.
        
            - name: email_control
              type: keyword
              overwrite: true
              description: >
                Engine name.
        
            - name: email_message_id
              type: keyword
              overwrite: true
              description: >
                Email session id (uniqe ID of the mail).
        
            - name: email_queue_id
              type: keyword
              overwrite: true
              description: >
                Postfix email queue id.
        
            - name: email_queue_name
              type: keyword
              overwrite: true
              description: >
                Postfix email queue name.
        
            - name: file_name
              type: keyword
              overwrite: true
              description: >
                Malicious file name.
        
            - name: failure_reason
              type: keyword
              overwrite: true
              description: >
                MTA failure description.
        
            - name: email_headers
              type: keyword
              overwrite: true
              description: >
                String containing all the email headers.
        
            - name: arrival_time
              type: keyword
              overwrite: true
              description: >
                Email arrival timestamp.
        
            - name: email_status
              type: keyword
              overwrite: true
              description: >
                Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended
        
            - name: status_update
              type: keyword
              overwrite: true
              description: >
                Last time log was updated.
        
            - name: delivery_time
              type: keyword
              overwrite: true
              description: >
                Timestamp of when email was delivered (MTA finished handling the email.
        
            - name: links_num
              type: integer
              overwrite: true
              description: >
                Number of links in the mail.
        
            - name: attachments_num
              type: integer
              overwrite: true
              description: >
                Number of attachments in the mail.
        
            - name: email_content
              type: keyword
              overwrite: true
              description: >
                Mail contents. Possible options: attachments/links & attachments/links/text only.
        
            - name: allocated_ports
              type: integer
              overwrite: true
              description: >
                Amount of allocated ports.
        
            - name: capacity
              type: integer
              overwrite: true
              description: >
                Capacity of the ports.
        
            - name: ports_usage
              type: integer
              overwrite: true
              description: >
                Percentage of allocated ports.
        
            - name: nat_exhausted_pool
              type: keyword
              overwrite: true
              description: >
                4-tuple of an exhausted pool.
        
            - name: nat_rulenum
              type: integer
              overwrite: true
              description: >
                NAT rulebase first matched rule.
        
            - name: nat_addtnl_rulenum
              type: integer
              overwrite: true
              description: >
                When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.
        
            - name: message_info
              type: keyword
              overwrite: true
              description: >
                Used for information messages, for example:NAT connection has ended.
        
            - name: nat46
              type: keyword
              overwrite: true
              description: >
                NAT 46 status, in most cases "enabled".
        
            - name: end_time
              type: keyword
              overwrite: true
              description: >
                TCP connection end time.
        
            - name: tcp_end_reason
              type: keyword
              overwrite: true
              description: >
                Reason for TCP connection closure.
        
            - name: cgnet
              type: keyword
              overwrite: true
              description: >
                Describes NAT allocation for specific subscriber.
        
            - name: subscriber
              type: ip
              overwrite: true
              description: >
                Source IP before CGNAT.
        
            - name: hide_ip
              type: ip
              overwrite: true
              description: >
                Source IP which will be used after CGNAT.
        
            - name: int_start
              type: integer
              overwrite: true
              description: >
                Subscriber start int which will be used for NAT.
        
            - name: int_end
              type: integer
              overwrite: true
              description: >
                Subscriber end int which will be used for NAT.
        
            - name: packet_amount
              type: integer
              overwrite: true
              description: >
                Amount of packets dropped.
        
            - name: monitor_reason
              type: keyword
              overwrite: true
              description: >
                Aggregated logs of monitored packets.
        
            - name: drops_amount
              type: integer
              overwrite: true
              description: >
                Amount of multicast packets dropped.
        
            - name: securexl_message
              type: keyword
              overwrite: true
              description: >
                Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.
        
            - name: conns_amount
              type: integer
              overwrite: true
              description: >
                Connections amount of aggregated log info.
        
            - name: scope
              type: keyword
              overwrite: true
              description: >
                IP related to the attack.
        
            - name: analyzed_on
              type: keyword
              overwrite: true
              description: >
                Check Point ThreatCloud / emulator name.
        
            - name: detected_on
              type: keyword
              overwrite: true
              description: >
                System and applications version the file was emulated on.
        
            - name: dropped_file_name
              type: keyword
              overwrite: true
              description: >
                List of names dropped from the original file.
        
            - name: dropped_file_type
              type: keyword
              overwrite: true
              description: >
                List of file types dropped from the original file.
        
            - name: dropped_file_hash
              type: keyword
              overwrite: true
              description: >
                List of file hashes dropped from the original file.
        
            - name: dropped_file_verdict
              type: keyword
              overwrite: true
              description: >
                List of file verdics dropped from the original file.
        
            - name: emulated_on
              type: keyword
              overwrite: true
              description: >
                Images the files were emulated on.
        
            - name: extracted_file_type
              type: keyword
              overwrite: true
              description: >
                Types of extracted files in case of an archive.
        
            - name: extracted_file_names
              type: keyword
              overwrite: true
              description: >
                Names of extracted files in case of an archive.
        
            - name: extracted_file_hash
              type: keyword
              overwrite: true
              description: >
                Archive hash in case of extracted files.
        
            - name: extracted_file_verdict
              type: keyword
              overwrite: true
              description: >
                Verdict of extracted files in case of an archive.
        
            - name: extracted_file_uid
              type: keyword
              overwrite: true
              description: >
                UID of extracted files in case of an archive.
        
            - name: mitre_initial_access
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to break into your network.
        
            - name: mitre_execution
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to run malicious code.
        
            - name: mitre_persistence
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to maintain his foothold.
        
            - name: mitre_privilege_escalation
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to gain higher-level permissions.
        
            - name: mitre_defense_evasion
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to avoid being detected.
        
            - name: mitre_credential_access
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to steal account names and passwords.
        
            - name: mitre_discovery
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to expose information about your environment.
        
            - name: mitre_lateral_movement
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to explore your environment.
        
            - name: mitre_collection
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to collect data of interest to achieve his goal.
        
            - name: mitre_command_and_control
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to communicate with compromised systems in order to control them.
        
            - name: mitre_exfiltration
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to steal data.
        
            - name: mitre_impact
              type: keyword
              overwrite: true
              description: >
                The adversary is trying to manipulate, interrupt, or destroy your systems and data.
        
            - name: parent_file_hash
              type: keyword
              overwrite: true
              description: >
                Archive's hash in case of extracted files.
        
            - name: parent_file_name
              type: keyword
              overwrite: true
              description: >
                Archive's name in case of extracted files.
        
            - name: parent_file_uid
              type: keyword
              overwrite: true
              description: >
                Archive's UID in case of extracted files.
        
            - name: similiar_iocs
              type: keyword
              overwrite: true
              description: >
                Other IoCs similar to the ones found, related to the malicious file.
        
            - name: similar_hashes
              type: keyword
              overwrite: true
              description: >
                Hashes found similar to the malicious file.
        
            - name: similar_strings
              type: keyword
              overwrite: true
              description: >
                Strings found similar to the malicious file.
        
            - name: similar_communication
              type: keyword
              overwrite: true
              description: >
                Network action found similar to the malicious file.
        
            - name: te_verdict_determined_by
              type: keyword
              overwrite: true
              description: >
                Emulators determined file verdict.
        
            - name: packet_capture_unique_id
              type: keyword
              overwrite: true
              description: >
                Identifier of the packet capture files.
        
            - name: total_attachments
              type: integer
              overwrite: true
              description: >
                The number of attachments in an email.
        
            - name: additional_info
              type: keyword
              overwrite: true
              description: >
                ID of original file/mail which are sent by admin.
        
            - name: content_risk
              type: integer
              overwrite: true
              description: >
                File risk.
        
            - name: operation
              type: keyword
              overwrite: true
              description: >
                Operation made by Threat Extraction.
        
            - name: scrubbed_content
              type: keyword
              overwrite: true
              description: >
                Active content that was found.
        
            - name: scrub_time
              type: keyword
              overwrite: true
              description: >
                Extraction process duration.
        
            - name: scrub_download_time
              type: keyword
              overwrite: true
              description: >
                File download time from resource.
        
            - name: scrub_total_time
              type: keyword
              overwrite: true
              description: >
                Threat extraction total file handling time.
        
            - name: scrub_activity
              type: keyword
              overwrite: true
              description: >
                The result of the extraction
        
            - name: watermark
              type: keyword
              overwrite: true
              description: >
                Reports whether watermark is added to the cleaned file.
        
            - name: snid
              type: keyword
              description: >
                The Check Point session ID.
        
            - name: source_object
              type: keyword
              overwrite: true
              description: >
                Matched object name on source column.
        
            - name: destination_object
              type: keyword
              overwrite: true
              description: >
                  Matched object name on destination column.
        
            - name: drop_reason
              type: keyword
              overwrite: true
              description: >
                Drop reason description.
        
            - name: hit
              type: integer
              overwrite: true
              description: >
                Number of hits on a rule.
        
            - name: rulebase_id
              type: integer
              overwrite: true
              description: >
                Layer number.
        
            - name: first_hit_time
              type: integer
              overwrite: true
              description: >
                First hit time in current interval.
        
            - name: last_hit_time
              type: integer
              overwrite: true
              description: >
                Last hit time in current interval.
        
            - name: rematch_info
              type: keyword
              overwrite: true
              description: >
                Information sent when old connections cannot be matched during policy installation.
        
            - name: last_rematch_time
              type: keyword
              overwrite: true
              description: >
                Connection rematched time.
        
            - name: action_reason
              type: integer
              overwrite: true
              description: >
                Connection drop reason.
        
            - name: action_reason_msg
              type: keyword
              overwrite: true
              description: >
                Connection drop reason message.
        
            - name: c_bytes
              type: integer
              overwrite: true
              description: >
                Boolean value indicates whether bytes sent from the client side are used.
        
            - name: context_num
              type: integer
              overwrite: true
              description: >
                Serial number of the log for a specific connection.
        
            - name: match_id
              type: integer
              overwrite: true
              description: >
                Private key of the rule
        
            - name: alert
              type: keyword
              overwrite: true
              description: >
                Alert level of matched rule (for connection logs).
        
            - name: parent_rule
              type: integer
              overwrite: true
              description: >
                Parent rule number, in case of inline layer.
        
            - name: match_fk
              type: integer
              overwrite: true
              description: >
                Rule number.
        
            - name: dropped_outgoing
              type: integer
              overwrite: true
              description: >
                Number of outgoing bytes dropped when using UP-limit feature.
        
            - name: dropped_incoming
              type: integer
              overwrite: true
              description: >
                Number of incoming bytes dropped when using UP-limit feature.
        
            - name: media_type
              type: keyword
              overwrite: true
              description: >
                  Media used (audio, video, etc.)
        
            - name: sip_reason
              type: keyword
              overwrite: true
              description: >
                Explains why 'source_ip' isn't allowed to redirect (handover).
        
            - name: voip_method
              type: keyword
              overwrite: true
              description: >
                Registration request.
        
            - name: registered_ip-phones
              type: keyword
              overwrite: true
              description: >
                Registered IP-Phones.
        
            - name: voip_reg_user_type
              type: keyword
              overwrite: true
              description: >
                Registered IP-Phone type.
        
            - name: voip_call_id
              type: keyword
              overwrite: true
              description: >
                Call-ID.
        
            - name: voip_reg_int
              type: integer
              overwrite: true
              description: >
                Registration port.
        
            - name: voip_reg_ipp
              type: integer
              overwrite: true
              description: >
                Registration IP protocol.
        
            - name: voip_reg_period
              type: integer
              overwrite: true
              description: >
                Registration period.
        
            - name: voip_log_type
              type: keyword
              overwrite: true
              description: >
                VoIP log types. Possible values: reject, call, registration.
        
            - name: src_phone_number
              type: keyword
              overwrite: true
              description: >
                Source IP-Phone.
        
            - name: voip_from_user_type
              type: keyword
              overwrite: true
              description: >
                Source IP-Phone type.
        
            - name: dst_phone_number
              type: keyword
              overwrite: true
              description: >
                Destination IP-Phone.
        
            - name: voip_to_user_type
              type: keyword
              overwrite: true
              description: >
                Destination IP-Phone type.
        
            - name: voip_call_dir
              type: keyword
              overwrite: true
              description: >
                Call direction: in/out.
        
            - name: voip_call_state
              type: keyword
              overwrite: true
              description: >
                Call state. Possible values: in/out.
        
            - name: voip_call_term_time
              type: keyword
              overwrite: true
              description: >
                Call termination time stamp.
        
            - name: voip_duration
              type: keyword
              overwrite: true
              description: >
                Call duration (seconds).
        
            - name: voip_media_port
              type: keyword
              overwrite: true
              description: >
                Media int.
        
            - name: voip_media_ipp
              type: keyword
              overwrite: true
              description: >
                Media IP protocol.
        
            - name: voip_est_codec
              type: keyword
              overwrite: true
              description: >
                Estimated codec.
        
            - name: voip_exp
              type: integer
              overwrite: true
              description: >
                Expiration.
        
            - name: voip_attach_sz
              type: integer
              overwrite: true
              description: >
                Attachment size.
        
            - name: voip_attach_action_info
              type: keyword
              overwrite: true
              description: >
                Attachment action Info.
        
            - name: voip_media_codec
              type: keyword
              overwrite: true
              description: >
                Estimated codec.
        
            - name: voip_reject_reason
              type: keyword
              overwrite: true
              description: >
                Reject reason.
        
            - name: voip_reason_info
              type: keyword
              overwrite: true
              description: >
                Information.
        
            - name: voip_config
              type: keyword
              overwrite: true
              description: >
                Configuration.
        
            - name: voip_reg_server
              type: ip
              overwrite: true
              description: >
                Registrar server IP address.
        
            - name: scv_user
              type: keyword
              overwrite: true
              description: >
                Username whose packets are dropped on SCV.
        
            - name: scv_message_info
              type: keyword
              overwrite: true
              description: >
                Drop reason.
        
            - name: ppp
              type: keyword
              overwrite: true
              description: >
                Authentication status.
        
            - name: scheme
              type: keyword
              overwrite: true
              description: >
                Describes the scheme used for the log.
        
            - name: auth_method
              type: keyword
              overwrite: true
              description: >
                Password authentication protocol used (PAP or EAP).
        
            - name: auth_status
              type: keyword
              description: >
                The authentication status for an event.
        
            - name: machine
              type: keyword
              overwrite: true
              description: >
                L2TP machine which triggered the log and the log refers to it.
        
            - name: vpn_feature_name
              type: keyword
              overwrite: true
              description: >
                L2TP /IKE / Link Selection.
        
            - name: reject_category
              type: keyword
              overwrite: true
              description: >
                Authentication failure reason.
        
            - name: peer_ip_probing_status_update
              type: keyword
              overwrite: true
              description: >
                  IP address response status.
        
            - name: peer_ip
              type: keyword
              overwrite: true
              description: >
                IP address which the client connects to.
        
            - name: peer_gateway
              type: ip
              overwrite: true
              description: >
                Main IP of the peer Security Gateway.
        
            - name: link_probing_status_update
              type: keyword
              overwrite: true
              description: >
                IP address response status.
        
            - name: source_interface
              type: keyword
              overwrite: true
              description: >
                External Interface name for source interface or Null if not found.
        
            - name: next_hop_ip
              type: keyword
              overwrite: true
              description: >
                Next hop IP address.
        
            - name: srckeyid
              type: keyword
              overwrite: true
              description: >
                Initiator Spi ID.
        
            - name: dstkeyid
              type: keyword
              overwrite: true
              description: >
                Responder Spi ID.
        
            - name: encryption_failure
              type: keyword
              overwrite: true
              description: >
                Message indicating why the encryption failed.
        
            - name: ike_ids
              type: keyword
              overwrite: true
              description: >
                All QM ids.
        
            - name: community
              type: keyword
              overwrite: true
              description: >
                Community name for the IPSec key and the use of the IKEv.
        
            - name: ike
              type: keyword
              overwrite: true
              description: >
                IKEMode (PHASE1, PHASE2, etc..).
        
            - name: cookieI
              type: keyword
              overwrite: true
              description: >
                Initiator cookie.
        
            - name: cookieR
              type: keyword
              overwrite: true
              description: >
                Responder cookie.
        
            - name: msgid
              type: keyword
              overwrite: true
              description: >
                Message ID.
        
            - name: methods
              type: keyword
              overwrite: true
              description: >
                IPSEc methods.
        
            - name: connection_uid
              type: keyword
              overwrite: true
              description: >
                Calculation of md5 of the IP and user name as UID.
        
            - name: site_name
              type: keyword
              overwrite: true
              description: >
                Site name.
        
            - name: esod_rule_name
              type: keyword
              overwrite: true
              description: >
                Unknown rule name.
        
            - name: esod_rule_action
              type: keyword
              overwrite: true
              description: >
                Unknown rule action.
        
            - name: esod_rule_type
              type: keyword
              overwrite: true
              description: >
                Unknown rule type.
        
            - name: esod_noncompliance_reason
              type: keyword
              overwrite: true
              description: >
                Non-compliance reason.
        
            - name: esod_associated_policies
              type: keyword
              overwrite: true
              description: >
                Associated policies.
        
            - name: spyware_name
              type: keyword
              overwrite: true
              description: >
                Spyware name.
        
            - name: spyware_type
              type: keyword
              overwrite: true
              description: >
                Spyware type.
        
            - name: anti_virus_type
              type: keyword
              overwrite: true
              description: >
                Anti virus type.
        
            - name: end_user_firewall_type
              type: keyword
              overwrite: true
              description: >
                End user firewall type.
        
            - name: esod_scan_status
              type: keyword
              overwrite: true
              description: >
                Scan failed.
        
            - name: esod_access_status
              type: keyword
              overwrite: true
              description: >
                Access denied.
        
            - name: client_type
              type: keyword
              overwrite: true
              description: >
                Endpoint Connect.
        
            - name: precise_error
              type: keyword
              overwrite: true
              description: >
                HTTP parser error.
        
            - name: method
              type: keyword
              overwrite: true
              description: >
                HTTP method.
        
            - name: trusted_domain
              type: keyword
              overwrite: true
              description: >
                In case of phishing event, the domain, which the attacker was impersonating.
        
            - name: comment
              type: keyword
        
            - name: conn_direction
              type: keyword
              description: Connection direction
        
            - name: db_ver
              type: keyword
              description: Database version
        
            - name: update_status
              type: keyword
              overwrite: true
              description: Status of database update
- key: cisco
  title: Cisco
  description: >
    Module for handling Cisco network device logs.
  fields:

        - name: cisco.amp
          type: group
          release: beta
          description: >
            Module for parsing Cisco AMP logs.
          fields:
            - name: timestamp_nanoseconds
              type: date
              description: >
                The timestamp in Epoch nanoseconds.
        
            - name: event_type_id
              type: keyword
              description: >
                A sub ID of the event, depending on event type.
        
            - name: detection
              type: keyword
              description: >
                The name of the malware detected.
        
            - name: detection_id
              type: keyword
              description: >
                The ID of the detection.
        
            - name: connector_guid
              type: keyword
              description: >
                The GUID of the connector sending information to AMP.
        
            - name: group_guids
              type: keyword
              description: >
                An array of group GUIDS related to the connector sending information to AMP.
        
            - name: vulnerabilities
              type: flattened
              description: >
                An array of related vulnerabilities to the malicious event.
        
            - name: scan.description
              type: keyword
              description: >
                Description of an event related to a scan being initiated, for example the specific directory name.
        
            - name: scan.clean
              type: boolean
              description: >
                Boolean value if a scanned file was clean or not.
        
            - name: scan.scanned_files
              type: long
              description: >
                Count of files scanned in a directory.
        
            - name: scan.scanned_processes
              type: long
              description: >
                Count of processes scanned related to a single scan event.
        
            - name: scan.scanned_paths
              type: long
              description: >
                Count of different directories scanned related to a single scan event.
        
            - name: scan.malicious_detections
              type: long
              description: >
                Count of malicious files or documents detected related to a single scan event.
        
            - name: computer.connector_guid
              type: keyword
              description: >
                The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved.
        
            - name: computer.external_ip
              type: ip
              description: >
                The external IP of the related host.
        
            - name: computer.active
              type: boolean
              description: >
                If the current endpoint is active or not.
        
            - name: computer.network_addresses
              type: flattened
              description: >
                All network interface information on the related host.
        
            - name: file.disposition
              type: keyword
              description: >
                Categorization of file, for example "Malicious" or "Clean".
        
            - name: network_info.disposition
              type: keyword
              description: >
                Categorization of a network event related to a file, for example "Malicious" or "Clean".
        
            - name: network_info.nfm.direction
              type: keyword
              description: >
                The current direction based on source and destination IP.
        
            - name: related.mac
              type: keyword
              description: >
                An array of all related MAC addresses.
        
            - name: related.cve
              type: keyword
              description: >
                An array of all related MAC addresses.
        
            - name: cloud_ioc.description
              type: keyword
              description: >
                Description of the related IOC for specific IOC events from AMP.
        
            - name: cloud_ioc.short_description
              type: keyword
              description: >
                Short description of the related IOC for specific IOC events from AMP.
        
            - name: network_info.parent.disposition
              type: keyword
              description: >
                Categorization of a IOC for example "Malicious" or "Clean".
        
            - name: network_info.parent.identity.md5
              type: keyword
              description: >
                MD5 hash of the related IOC.
        
            - name: network_info.parent.identity.sha1
              type: keyword
              description: >
                SHA1 hash of the related IOC.
        
            - name: network_info.parent.identify.sha256
              type: keyword
              description: >
                SHA256 hash of the related IOC.
        
            - name: file.archived_file.disposition
              type: keyword
              description: >
                Categorization of a file archive related to a file, for example "Malicious" or "Clean".
        
            - name: file.archived_file.identity.md5
              type: keyword
              description: >
                MD5 hash of the archived file related to the malicious event.
        
            - name: file.archived_file.identity.sha1
              type: keyword
              description: >
                SHA1 hash of the archived file related to the malicious event.
        
            - name: file.archived_file.identity.sha256
              type: keyword
              description: >
                SHA256 hash of the archived file related to the malicious event.
        
            - name: file.attack_details.application
              type: keyword
              description: >
                The application name related to Exploit Prevention events.
        
            - name: file.attack_details.attacked_module
              type: keyword
              description: >
                Path to the executable or dll that was attacked and detected by Exploit Prevention.
        
            - name: file.attack_details.base_address
              type: keyword
              description: >
                The base memory address related to the exploit detected.
        
            - name: file.attack_details.suspicious_files
              type: keyword
              description: >
                An array of related files when an attack is detected by Exploit Prevention.
        
            - name: file.parent.disposition
              type: keyword
              description: >
                Categorization of parrent, for example "Malicious" or "Clean".
        
            - name: error.description
              type: keyword
              description: >
                Description of an endpoint error event.
        
            - name: error.error_code
              type: keyword
              description: >
                The error code describing the related error event.
        
            - name: threat_hunting.severity
              type: keyword
              description: >
                Severity result of the threat hunt registered to the malicious event. Can be Low-Critical.
        
            - name: threat_hunting.incident_report_guid
              type: keyword
              description: >
                The GUID of the related threat hunting report.
        
            - name: threat_hunting.incident_hunt_guid
              type: keyword
              description: >
                The GUID of the related investigation tracking issue.
        
            - name: threat_hunting.incident_title
              type: keyword
              description: >
                Title of the incident related to the threat hunting activity.
        
            - name: threat_hunting.incident_summary
              type: keyword
              description: >
                Summary of the outcome on the threat hunting activity.
        
            - name: threat_hunting.incident_remediation
              type: keyword
              description: >
                Recommendations to resolve the vulnerability or exploited host.
        
            - name: threat_hunting.incident_id
              type: keyword
              description: >
                The id of the related incident for the threat hunting activity.
        
            - name: threat_hunting.incident_end_time
              type: date
              description: >
                When the threat hunt finalized or closed.
        
            - name: threat_hunting.incident_start_time
              type: date
              description: >
                When the threat hunt was initiated.
        
            - name: file.attack_details.indicators
              type: flattened
              description: >
                Different indicator types that matches the exploit detected, for example different MITRE tactics.
        
            - name: threat_hunting.tactics
              type: flattened
              description: >
                List of all MITRE tactics related to the incident found.
        
            - name: threat_hunting.techniques
              type: flattened
              description: >
                List of all MITRE techniques related to the incident found.
        
            - name: tactics
              type: flattened
              description: >
                List of all MITRE tactics related to the incident found.
        
            - name: mitre_tactics
              type: keyword
              description: >
                Array of all related mitre tactic ID's
        
            - name: techniques
              type: flattened
              description: >
                List of all MITRE techniques related to the incident found.
        
            - name: mitre_techniques
              type: keyword
              description: >
                Array of all related mitre technique ID's
        
            - name: command_line.arguments
              type: keyword
              description: >
                The CLI arguments related to the Cloud Threat IOC reported by Cisco.
        
            - name: bp_data
              type: flattened
              description: >
                Endpoint isolation information
        - name: cisco.asa
          type: group
          description: >
            Fields for Cisco ASA Firewall.
          fields:
          - name: message_id
            type: keyword
            description: >
              The Cisco ASA message identifier.
        
          - name: suffix
            type: keyword
            example: session
            description: >
              Optional suffix after %ASA identifier.
        
          - name: source_interface
            type: keyword
            description: >
              Source interface for the flow or event.
        
          - name: destination_interface
            type: keyword
            description: >
              Destination interface for the flow or event.
        
          - name: rule_name
            type: keyword
            description: >
              Name of the Access Control List rule that matched this event.
        
          - name: source_username
            type: keyword
            description: >
              Name of the user that is the source for this event.
        
          - name: source_user_security_group_tag
            type: long
            description: >
              The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
        
          - name: destination_username
            type: keyword
            description: >
              Name of the user that is the destination for this event.
        
          - name: destination_user_security_group_tag
            type: long
            description: >
              The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
        
          - name: mapped_source_ip
            type: ip
            description: >
              The translated source IP address.
        
          - name: mapped_source_host
            type: keyword
            description: >
              The translated source host.
        
          - name: mapped_source_port
            type: long
            description: >
              The translated source port.
        
          - name: mapped_destination_ip
            type: ip
            description: >
              The translated destination IP address.
        
          - name: mapped_destination_host
            type: keyword
            description: >
              The translated destination host.
        
          - name: mapped_destination_port
            type: long
            description: >
              The translated destination port.
        
          - name: threat_level
            type: keyword
            description: >
              Threat level for malware / botnet traffic. One of very-low, low,
              moderate, high or very-high.
        
          - name: threat_category
            type: keyword
            description: >
              Category for the malware / botnet traffic. For example: virus, botnet,
              trojan, etc.
        
          - name: connection_id
            type: keyword
            description: >
              Unique identifier for a flow.
        
          - name: icmp_type
            type: short
            description: >
              ICMP type.
        
          - name: icmp_code
            type: short
            description: >
              ICMP code.
        
          - name: connection_type
            type: keyword
            description: >
              The VPN connection type
        
          - name: dap_records
            type: keyword
            description: >
              The assigned DAP records
        
          - name: command_line_arguments
            type: keyword
            description: >
              The command line arguments logged by the local audit log
        
          - name: assigned_ip
            type: ip
            description: >
              The IP address assigned to a VPN client successfully connecting
        
          - name: privilege.old
            type: keyword
            description: >
              When a users privilege is changed this is the old value
        
          - name: privilege.new
            type: keyword
            description: >
              When a users privilege is changed this is the new value
        
          - name: burst.object
            type: keyword
            description: >
              The related object for burst warnings
        
          - name: burst.id
            type: keyword
            description: >
              The related rate ID for burst warnings
        
          - name: burst.current_rate
            type: keyword
            description: >
              The current burst rate seen
        
          - name: burst.configured_rate
            type: keyword
            description: >
              The current configured burst rate
        
          - name: burst.avg_rate
            type: keyword
            description: >
              The current average burst rate seen
        
          - name: burst.configured_avg_rate
            type: keyword
            description: >
              The current configured average burst rate allowed
        
          - name: burst.cumulative_count
            type: keyword
            description: >
              The total count of burst rate hits since the object was created or cleared
        
          - name: termination_user
            type: keyword
            description: >
              AAA name of user requesting termination
        
          - name: webvpn.group_name
            type: keyword
            description: >
              The WebVPN group name the user belongs to
        
          - name: termination_initiator
            type: keyword
            description: >
              Interface name of the side that initiated the teardown
        
          - name: tunnel_type
            type: keyword
            description: >
              SA type (remote access or L2L)
        
          - name: session_type
            type: keyword
            description: >
              Session type (for example, IPsec or UDP)
        - name: cisco.ftd
          type: group
          description: >
            Fields for Cisco Firepower Threat Defense Firewall.
          fields:
          - name: message_id
            type: keyword
            description: >
              The Cisco FTD message identifier.
        
          - name: suffix
            type: keyword
            example: session
            description: >
              Optional suffix after %FTD identifier.
        
          - name: source_interface
            type: keyword
            description: >
              Source interface for the flow or event.
        
          - name: destination_interface
            type: keyword
            description: >
              Destination interface for the flow or event.
        
          - name: rule_name
            type: keyword
            description: >
              Name of the Access Control List rule that matched this event.
        
          - name: source_username
            type: keyword
            description: >
              Name of the user that is the source for this event.
        
          - name: destination_username
            type: keyword
            description: >
              Name of the user that is the destination for this event.
        
          - name: mapped_source_ip
            type: ip
            description: >
              The translated source IP address. Use ECS source.nat.ip.
        
          - name: mapped_source_host
            type: keyword
            description: >
              The translated source host.
        
          - name: mapped_source_port
            type: long
            description: >
              The translated source port. Use ECS source.nat.port.
        
          - name: mapped_destination_ip
            type: ip
            description: >
              The translated destination IP address. Use ECS destination.nat.ip.
        
          - name: mapped_destination_host
            type: keyword
            description: >
              The translated destination host.
        
          - name: mapped_destination_port
            type: long
            description: >
              The translated destination port. Use ECS destination.nat.port.
        
          - name: threat_level
            type: keyword
            description: >
              Threat level for malware / botnet traffic. One of very-low, low,
              moderate, high or very-high.
        
          - name: threat_category
            type: keyword
            description: >
              Category for the malware / botnet traffic. For example: virus, botnet,
              trojan, etc.
        
          - name: connection_id
            type: keyword
            description: >
              Unique identifier for a flow.
        
          - name: icmp_type
            type: short
            description: >
              ICMP type.
        
          - name: icmp_code
            type: short
            description: >
              ICMP code.
        
          - name: security
            type: object
            description:
              Raw fields for Security Events.
        
          - name: connection_type
            type: keyword
            description: >
              The VPN connection type
        
          - name: dap_records
            type: keyword
            description: >
              The assigned DAP records
        
          - name: termination_user
            type: keyword
            description: >
              AAA name of user requesting termination
        
          - name: webvpn.group_name
            type: keyword
            description: >
              The WebVPN group name the user belongs to
        
          - name: termination_initiator
            type: keyword
            description: >
              Interface name of the side that initiated the teardown
        - name: cisco.ios
          type: group
          description: >
            Fields for Cisco IOS logs.
          fields:
          - name: access_list
            type: keyword
            description: >
              Name of the IP access list.
        
          - name: facility
            type: keyword
            example: SEC
            description: >
              The facility to which the message refers (for example, SNMP, SYS, and so
              forth). A facility can be a hardware device, a protocol, or a module of
              the system software. It denotes the source or the cause of the system
              message.
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: cisco.umbrella
          type: group
          description: >
            Fields for Cisco Umbrella.
          fields:
          - name: identities
            type: keyword
            description: >
              An array of the different identities related to the event.
          - name: categories
            type: keyword
            description: >
              The security or content categories that the destination matches.
          - name: policy_identity_type
            type: keyword
            description: >
              The first identity type matched with this request. Available in version 3 and above.
          - name: identity_types
            type: keyword
            description: >
              The type of identity that made the request. For example, Roaming Computer or Network.
          - name: blocked_categories
            type: keyword
            description: >
              The categories that resulted in the destination being blocked. Available in version 4 and above.
          - name: content_type
            type: keyword
            description: >
              The type of web content, typically text/html.
          - name: sha_sha256
            type: keyword
            description: >
              Hex digest of the response content.
          - name: av_detections
            type: keyword
            description: >
              The detection name according to the antivirus engine used in file inspection.
          - name: puas
            type: keyword
            description: >
              A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
          - name: amp_disposition
            type: keyword
            description: >
              The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
          - name: amp_malware_name
            type: keyword
            description: >
              If Malicious, the name of the malware according to AMP.
          - name: amp_score
            type: keyword
            description: >
              The score of the malware from AMP. This field is not currently used and will be blank.
          - name: datacenter
            type: keyword
            description: >
              The name of the Umbrella Data Center that processed the user-generated traffic.
          - name: origin_id
            type: keyword
            description: >
              The unique identity of the network tunnel.
- key: coredns
  title: Coredns
  description: >
    Module for handling logs produced by coredns
  fields:
    - name: coredns
      type: group
      description: >
        coredns fields after normalization
      fields:
      - name: query.size
        type: integer
        format: bytes
        description: >
          size of the DNS query

      - name: response.size
        type: integer
        format: bytes
        description: >
          size of the DNS response
- key: crowdstrike
  title: "Crowdstrike"
  release: beta
  description: >
    Module for collecting Crowdstrike events.
  fields:
    - name: crowdstrike
      type: group
      description: >
        Fields for Crowdstrike Falcon event and alert data.
      fields:
        - name: metadata
          title: Metadata fields
          description: >
            Meta data fields for each event that include type and timestamp.
          type: group
          fields:
            - name: eventType
              type: keyword
              description: >
                DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent
        
            - name: eventCreationTime
              type: date
              description: >
                The time this event occurred on the endpoint in UTC UNIX_MS format.
        
            - name: offset
              type: integer
              description: >
                Offset number that tracks the location of the event in stream. This is used to identify unique detection events.
        
            - name: customerIDString
              type: keyword
              description: >
                Customer identifier
        
            - name: version
              type: keyword
              description: >
                Schema version
        
        - name: event
          title: Event fields
          description: >
            Event data fields for each event and alert.
          type: group
          fields:
            - name: ProcessStartTime
              type: date
              description: >
                The process start time in UTC UNIX_MS format.
        
            - name: ProcessEndTime
              type: date
              description: >
                The process termination time in UTC UNIX_MS format.
        
            - name: ProcessId
              type: integer
              description: >
                Process ID related to the detection.
        
            - name: ParentProcessId
              type: integer
              description: >
                Parent process ID related to the detection.
        
            - name: ComputerName
              type: keyword
              description: >
                Name of the computer where the detection occurred.
        
            - name: UserName
              type: keyword
              description: >
                User name associated with the detection.
        
            - name: DetectName
              type: keyword
              description: >
                Name of the detection.
        
            - name: DetectDescription
              type: keyword
              description: >
                Description of the detection.
        
            - name: Severity
              type: integer
              description: >
                Severity score of the detection.
        
            - name: SeverityName
              type: keyword
              description: >
                Severity score text.
        
            - name: FileName
              type: keyword
              description: >
                File name of the associated process for the detection.
        
            - name: FilePath
              type: keyword
              description: >
                Path of the executable associated with the detection.
        
            - name: CommandLine
              type: keyword
              description: >
                Executable path with command line arguments.
        
            - name: SHA1String
              type: keyword
              description: >
                SHA1 sum of the executable associated with the detection.
        
            - name: SHA256String
              type: keyword
              description: >
                SHA256 sum of the executable associated with the detection.
        
            - name: MD5String
              type: keyword
              description: >
                MD5 sum of the executable associated with the detection.
        
            - name: MachineDomain
              type: keyword
              description: >
                Domain for the machine associated with the detection.
        
            - name: FalconHostLink
              type: keyword
              description: >
                URL to view the detection in Falcon.
        
            - name: SensorId
              type: keyword
              description: >
                Unique ID associated with the Falcon sensor.
        
            - name: DetectId
              type: keyword
              description: >
                Unique ID associated with the detection.
        
            - name: LocalIP
              type: keyword
              description: >
                IP address of the host associated with the detection.
        
            - name: MACAddress
              type: keyword
              description: >
                MAC address of the host associated with the detection.
        
            - name: Tactic
              type: keyword
              description: >
                MITRE tactic category of the detection.
        
            - name: Technique
              type: keyword
              description: >
                MITRE technique category of the detection.
        
            - name: Objective
              type: keyword
              description: >
                Method of detection.
        
            - name: PatternDispositionDescription
              type: keyword
              description: >
                Action taken by Falcon.
        
            - name: PatternDispositionValue
              type: integer
              description: >
                Unique ID associated with action taken.
        
            - name: PatternDispositionFlags
              type: object
              description: >
                Flags indicating actions taken.
        
            - name: State
              type: keyword
              description: >
                Whether the incident summary is open and ongoing or closed.
        
            - name: IncidentStartTime
              type: date
              description: >
                Start time for the incident in UTC UNIX format.
        
            - name: IncidentEndTime
              type: date
              description: >
                End time for the incident in UTC UNIX format.
        
            - name: FineScore
              type: float
              description: >
                Score for incident.
        
            - name: UserId
              type: keyword
              description: >
                Email address or user ID associated with the event.
        
            - name: UserIp
              type: keyword
              description: >
                IP address associated with the user.
        
            - name: OperationName
              type: keyword
              description: >
                Event subtype.
        
            - name: ServiceName
              type: keyword
              description: >
                Service associated with this event.
        
            - name: Success
              type: boolean
              description: >
                Indicator of whether or not this event was successful.
        
            - name: UTCTimestamp
              type: date
              description: >
                Timestamp associated with this event in UTC UNIX format.
        
            - name: AuditKeyValues
              type: nested
              description: >
                Fields that were changed in this event.
        
            - name: ExecutablesWritten
              type: nested
              description: >
                Detected executables written to disk by a process.
        
            - name: SessionId
              type: keyword
              description: >
                Session ID of the remote response session.
        
            - name: HostnameField
              type: keyword
              description: >
                Host name of the machine for the remote session.
        
            - name: StartTimestamp
              type: date
              description: >
                Start time for the remote session in UTC UNIX format.
        
            - name: EndTimestamp
              type: date
              description: >
                End time for the remote session in UTC UNIX format.
        
            - name: LateralMovement
              type: long
              description: >
                Lateral movement field for incident.
        
            - name: ParentImageFileName
              type: keyword
              description: >
                Path to the parent process.
        
            - name: ParentCommandLine
              type: keyword
              description: >
                Parent process command line arguments.
        
            - name: GrandparentImageFileName
              type: keyword
              description: >
                Path to the grandparent process.
        
            - name: GrandparentCommandLine
              type: keyword
              description: >
                Grandparent process command line arguments.
        
            - name: IOCType
              type: keyword
              description: >
                CrowdStrike type for indicator of compromise.
        
            - name: IOCValue
              type: keyword
              description: >
                CrowdStrike value for indicator of compromise.
        
            # FirewallMatchEvent
            - name: CustomerId
              type: keyword
              description: >
                Customer identifier.
        
            - name: DeviceId
              type: keyword
              description: >
                Device on which the event occurred.
        
            - name: Ipv
              type: keyword
              description: >
                Protocol for network request.
        
            - name: ConnectionDirection
              type: keyword
              description: >
                Direction for network connection.
        
            - name: EventType
              type: keyword
              description: >
                CrowdStrike provided event type.
        
            - name: HostName
              type: keyword
              description: >
                Host name of the local machine.
        
            - name: ICMPCode
              type: keyword
              description: >
                RFC2780 ICMP Code field.
        
            - name: ICMPType
              type: keyword
              description: >
                RFC2780 ICMP Type field.
        
            - name: ImageFileName
              type: keyword
              description: >
                File name of the associated process for the detection.
        
            - name: PID
              type: long
              description: >
                Associated process id for the detection.
        
            - name: LocalAddress
              type: ip
              description: >
                IP address of local machine.
        
            - name: LocalPort
              type: long
              description: >
                Port of local machine.
        
            - name: RemoteAddress
              type: ip
              description: >
                IP address of remote machine.
        
            - name: RemotePort
              type: long
              description: >
                Port of remote machine.
        
            - name: RuleAction
              type: keyword
              description: >
                Firewall rule action.
        
            - name: RuleDescription
              type: keyword
              description: >
                Firewall rule description.
        
            - name: RuleFamilyID
              type: keyword
              description: >
                Firewall rule family id.
        
            - name: RuleGroupName
              type: keyword
              description: >
                Firewall rule group name.
        
            - name: RuleName
              type: keyword
              description: >
                Firewall rule name.
        
            - name: RuleId
              type: keyword
              description: >
                Firewall rule id.
        
            - name: MatchCount
              type: long
              description: >
                Number of firewall rule matches.
        
            - name: MatchCountSinceLastReport
              type: long
              description: >
                Number of firewall rule matches since the last report.
        
            - name: Timestamp
              type: date
              description: >
                Firewall rule triggered timestamp.
        
            # Not entirely sure about the descriptions of the following fields
            - name: Flags.Audit
              type: boolean
              description: >
                CrowdStrike audit flag.
        
            - name: Flags.Log
              type: boolean
              description: >
                CrowdStrike log flag.
        
            - name: Flags.Monitor
              type: boolean
              description: >
                CrowdStrike monitor flag.
        
            - name: Protocol
              type: keyword
              description: >
                CrowdStrike provided protocol.
        
            - name: NetworkProfile
              type: keyword
              description: >
                CrowdStrike network profile.
        
            - name: PolicyName
              type: keyword
              description: >
                CrowdStrike policy name.
        
            - name: PolicyID
              type: keyword
              description: >
                CrowdStrike policy id.
        
            - name: Status
              type: keyword
              description: >
                CrowdStrike status.
        
            - name: TreeID
              type: keyword
              description: >
                CrowdStrike tree id.
        
            # RemoteResponseSessionEndEvent
            - name: Commands
              type: keyword
              description: >
                Commands run in a remote session.
- key: cyberarkpas
  title: CyberArk PAS
  description: >
    cyberarkpas fields.
  fields:
    - name: cyberarkpas
      type: group
      fields:

        - name: audit
          type: group
          description: >
            Cyberark Privileged Access Security Audit fields.
          fields:
            - name: action
              type: keyword
              description: A description of the audit record.
            - name: ca_properties
              type: group
              description: Account metadata.
              fields:
                - name: address
                  type: keyword
                - name: cpm_disabled
                  type: keyword
                - name: cpm_error_details
                  type: keyword
                - name: cpm_status
                  type: keyword
                - name: creation_method
                  type: keyword
                - name: customer
                  type: keyword
                - name: database
                  type: keyword
                - name: device_type
                  type: keyword
                - name: dual_account_status
                  type: keyword
                - name: group_name
                  type: keyword
                - name: in_process
                  type: keyword
                - name: index
                  type: keyword
                - name: last_fail_date
                  type: keyword
                - name: last_success_change
                  type: keyword
                - name: last_success_reconciliation
                  type: keyword
                - name: last_success_verification
                  type: keyword
                - name: last_task
                  type: keyword
                - name: logon_domain
                  type: keyword
                - name: policy_id
                  type: keyword
                - name: port
                  type: keyword
                - name: privcloud
                  type: keyword
                - name: reset_immediately
                  type: keyword
                - name: retries_count
                  type: keyword
                - name: sequence_id
                  type: keyword
                - name: tags
                  type: keyword
                - name: user_dn
                  type: keyword
                - name: user_name
                  type: keyword
                - name: virtual_username
                  type: keyword
                - name: other
                  type: flattened
            - name: category
              type: keyword
              description: The category name (for category-related operations).
            - name: desc
              type: keyword
              description: A static value that displays a description of the audit codes.
            - name: extra_details
              type: group
              description: Specific extra details of the audit records.
              fields:
                - name: ad_process_id
                  type: keyword
                - name: ad_process_name
                  type: keyword
                - name: application_type
                  type: keyword
                - name: command
                  type: keyword
                - name: connection_component_id
                  type: keyword
                - name: dst_host
                  type: keyword
                - name: logon_account
                  type: keyword
                - name: managed_account
                  type: keyword
                - name: process_id
                  type: keyword
                - name: process_name
                  type: keyword
                - name: protocol
                  type: keyword
                - name: psmid
                  type: keyword
                - name: session_duration
                  type: keyword
                - name: session_id
                  type: keyword
                - name: src_host
                  type: keyword
                - name: username
                  type: keyword
                - name: other
                  type: flattened
            - name: file
              type: keyword
              description: The name of the target file.
            - name: gateway_station
              type: ip
              description: The IP of the web application machine (PVWA).
            - name: hostname
              type: keyword
              description: The hostname, in upper case.
              example: MY-COMPUTER
            - name: iso_timestamp
              type: date
              description: The timestamp, in ISO Timestamp format (RFC 3339).
              example: 2013-6-25T10:47:19Z
            - name: issuer
              type: keyword
              description: The Vault user who wrote the audit. This is usually the user who performed the operation.
            - name: location
              type: keyword
              description: The target Location (for Location operations).
              ignore_above: 4096
              doc_values: false
              index: false
            - name: message
              type: keyword
              description: A description of the audit records (same information as in the Desc field).
            - name: message_id
              type: keyword
              description: The code ID of the audit records.
            - name: product
              type: keyword
              description: A static value that represents the product.
            - name: pvwa_details
              type: flattened
              description: Specific details of the PVWA audit records.
            - name: raw
              type: keyword
              description: >
                Raw XML for the original audit record.
                Only present when XSLT file has debugging enabled.
              ignore_above: 4096
              doc_values: false
              index: false
            - name: reason
              type: text
              description: The reason entered by the user.
              norms: false
            - name: rfc5424
              type: boolean
              description: Whether the syslog format complies with RFC5424.
              example: yes
            - name: safe
              type: keyword
              description: The name of the target Safe.
            - name: severity
              type: keyword
              description: The severity of the audit records.
            - name: source_user
              type: keyword
              description: The name of the Vault user who performed the operation.
            - name: station
              type: ip
              description: The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
            - name: target_user
              type: keyword
              description: The name of the Vault user on which the operation was performed.
            - name: timestamp
              type: keyword
              description: The timestamp, in MMM DD HH:MM:SS format.
              example: Jun 25 10:47:19
            - name: vendor
              type: keyword
              description: A static value that represents the vendor.
            - name: version
              type: keyword
              description: A static value that represents the version of the Vault.
- key: cylance
  title: CylanceProtect
  description: >
    cylance fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: envoyproxy
  title: Envoyproxy
  description: >
    Module for handling logs produced by envoy
  fields:
    - name: envoyproxy
      type: group
      description: >
        Fields from envoy proxy logs after normalization
      fields:
      - name: log_type
        type: keyword
        description: >
          Envoy log type, normally ACCESS

      - name: response_flags
        type: keyword
        description: >
          Response flags

      - name: upstream_service_time
        type: long
        format: duration
        input_format: nanoseconds
        description: >
          Upstream service time in nanoseconds

      - name: request_id
        type: keyword
        description: >
          ID of the request

      - name: authority
        type: keyword
        description: >
          Envoy proxy authority field

      - name: proxy_type
        type: keyword
        description: >
          Envoy proxy type, tcp or http




- key: f5
  title: Big-IP Access Policy Manager
  description: >
    f5 fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: fortinet
  title: Fortinet
  description: >
    fortinet Module
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: fortinet
          type: group
          description: >
            Fields from fortinet FortiOS
          fields:
        
            - name: file.hash.crc32
              type: keyword
              description: >
                CRC32 Hash of file
        
            - name: firewall
              type: group
              release: beta
              description: >
                Module for parsing Fortinet syslog.
              fields:
                - name: acct_stat
                  type: keyword
                  description: >
                    Accounting state (RADIUS)
        
                - name: acktime
                  type: keyword
                  description: >
                    Alarm Acknowledge Time
        
                - name: act
                  type: keyword
                  description: >
                    Action
        
                - name: action
                  type: keyword
                  description: >
                    Status of the session
        
                - name: activity
                  type: keyword
                  description: >
                    HA activity message
        
                - name: addr
                  type: ip
                  description: >
                    IP Address
        
                - name: addr_type
                  type: keyword
                  description: >
                    Address Type
        
                - name: addrgrp
                  type: keyword
                  description: >
                    Address Group
        
                - name: adgroup
                  type: keyword
                  description: >
                    AD Group Name
        
                - name: admin
                  type: keyword
                  description: >
                    Admin User
        
                - name: age
                  type: integer
                  description: >
                    Time in seconds - time passed since last seen
        
                - name: agent
                  type: keyword
                  description: >
                    User agent - eg. agent="Mozilla/5.0"
        
                - name: alarmid
                  type: integer
                  description: >
                    Alarm ID
        
                - name: alert
                  type: keyword
                  description: >
                    Alert
        
                - name: analyticscksum
                  type: keyword
                  description: >
                    The checksum of the file submitted for analytics
        
                - name: analyticssubmit
                  type: keyword
                  description: >
                    The flag for analytics submission
        
                - name: ap
                  type: keyword
                  description: >
                    Access Point
        
                - name: app-type
                  type: keyword
                  description: >
                    Address Type
        
                - name: appact
                  type: keyword
                  description: >
                    The security action from app control
        
                - name: appid
                  type: integer
                  description: >
                    Application ID
        
                - name: applist
                  type: keyword
                  description: >
                    Application Control profile
        
                - name: apprisk
                  type: keyword
                  description: >
                    Application Risk Level
        
                - name: apscan
                  type: keyword
                  description: >
                    The name of the AP, which scanned and detected the rogue AP
        
                - name: apsn
                  type: keyword
                  description: >
                    Access Point
        
                - name: apstatus
                  type: keyword
                  description: >
                    Access Point status
        
                - name: aptype
                  type: keyword
                  description: >
                    Access Point type
        
                - name: assigned
                  type: ip
                  description: >
                    Assigned IP Address
        
                - name: assignip
                  type: ip
                  description: >
                    Assigned IP Address
        
                - name: attachment
                  type: keyword
                  description: >
                    The flag for email attachement
        
                - name: attack
                  type: keyword
                  description: >
                    Attack Name
        
                - name: attackcontext
                  type: keyword
                  description: >
                    The trigger patterns and the packetdata with base64 encoding
        
                - name: attackcontextid
                  type: keyword
                  description: >
                    Attack context id / total
        
                - name: attackid
                  type: integer
                  description: >
                    Attack ID
        
                - name: auditid
                  type: long
                  description: >
                    Audit ID
        
                - name: auditscore
                  type: keyword
                  description: >
                    The Audit Score
        
                - name: audittime
                  type: long
                  description: >
                    The time of the audit
        
                - name: authgrp
                  type: keyword
                  description: >
                    Authorization Group
        
                - name: authid
                  type: keyword
                  description: >
                    Authentication ID
        
                - name: authproto
                  type: keyword
                  description: >
                    The protocol that initiated the authentication
        
                - name: authserver
                  type: keyword
                  description: >
                    Authentication server
        
                - name: bandwidth
                  type: keyword
                  description: >
                    Bandwidth
        
                - name: banned_rule
                  type: keyword
                  description: >
                    NAC quarantine Banned Rule Name
        
                - name: banned_src
                  type: keyword
                  description: >
                    NAC quarantine Banned Source IP
        
                - name: banword
                  type: keyword
                  description: >
                    Banned word
        
                - name: botnetdomain
                  type: keyword
                  description: >
                    Botnet Domain Name
        
                - name: botnetip
                  type: ip
                  description: >
                    Botnet IP Address
        
                - name: bssid
                  type: keyword
                  description: >
                    Service Set ID
        
                - name: call_id
                  type: keyword
                  description: >
                    Caller ID
        
                - name: carrier_ep
                  type: keyword
                  description: >
                    The FortiOS Carrier end-point identification
        
                - name: cat
                  type: integer
                  description: >
                    DNS category ID
        
                - name: category
                  type: keyword
                  description: >
                    Authentication category
        
                - name: cc
                  type: keyword
                  description: >
                    CC Email Address
        
                - name: cdrcontent
                  type: keyword
                  description: >
                    Cdrcontent
        
                - name: centralnatid
                  type: integer
                  description: >
                    Central NAT ID
        
                - name: cert
                  type: keyword
                  description: >
                    Certificate
        
                - name: cert-type
                  type: keyword
                  description: >
                    Certificate type
        
                - name: certhash
                  type: keyword
                  description: >
                    Certificate hash
        
                - name: cfgattr
                  type: keyword
                  description: >
                    Configuration attribute
        
                - name: cfgobj
                  type: keyword
                  description: >
                    Configuration object
        
                - name: cfgpath
                  type: keyword
                  description: >
                    Configuration path
        
                - name: cfgtid
                  type: keyword
                  description: >
                    Configuration transaction ID
        
                - name: cfgtxpower
                  type: integer
                  description: >
                    Configuration TX power
        
                - name: channel
                  type: integer
                  description: >
                    Wireless Channel
        
                - name: channeltype
                  type: keyword
                  description: >
                    SSH channel type
        
                - name: chassisid
                  type: integer
                  description: >
                    Chassis ID
        
                - name: checksum
                  type: keyword
                  description: >
                    The checksum of the scanned file
        
                - name: chgheaders
                  type: keyword
                  description: >
                    HTTP Headers
        
                - name: cldobjid
                  type: keyword
                  description: >
                    Connector object ID
        
                - name: client_addr
                  type: keyword
                  description: >
                    Wifi client address
        
                - name: cloudaction
                  type: keyword
                  description: >
                    Cloud Action
        
                - name: clouduser
                  type: keyword
                  description: >
                    Cloud User
        
                - name: column
                  type: integer
                  description: >
                    VOIP Column
        
                - name: command
                  type: keyword
                  description: >
                    CLI Command
        
                - name: community
                  type: keyword
                  description: >
                    SNMP Community
        
                - name: configcountry
                  type: keyword
                  description: >
                    Configuration country
        
                - name: connection_type
                  type: keyword
                  description: >
                    FortiClient Connection Type
        
                - name: conserve
                  type: keyword
                  description: >
                    Flag for conserve mode
        
                - name: constraint
                  type: keyword
                  description: >
                    WAF http protocol restrictions
        
                - name: contentdisarmed
                  type: keyword
                  description: >
                    Email scanned content
        
                - name: contenttype
                  type: keyword
                  description: >
                    Content Type from HTTP header
        
                - name: cookies
                  type: keyword
                  description: >
                    VPN Cookie
        
                - name: count
                  type: integer
                  description: >
                    Counts of action type
        
                - name: countapp
                  type: integer
                  description: >
                    Number of App Ctrl logs associated with the session
        
                - name: countav
                  type: integer
                  description: >
                    Number of AV logs associated with the session
        
                - name: countcifs
                  type: integer
                  description: >
                    Number of CIFS logs associated with the session
        
                - name: countdlp
                  type: integer
                  description: >
                    Number of DLP logs associated with the session
        
                - name: countdns
                  type: integer
                  description: >
                    Number of DNS logs associated with the session
        
                - name: countemail
                  type: integer
                  description: >
                    Number of email logs associated with the session
        
                - name: countff
                  type: integer
                  description: >
                    Number of ff logs associated with the session
        
                - name: countips
                  type: integer
                  description: >
                    Number of IPS logs associated with the session
        
                - name: countssh
                  type: integer
                  description: >
                    Number of SSH logs associated with the session
        
                - name: countssl
                  type: integer
                  description: >
                    Number of SSL logs associated with the session
        
                - name: countwaf
                  type: integer
                  description: >
                    Number of WAF logs associated with the session
        
                - name: countweb
                  type: integer
                  description: >
                    Number of Web filter logs associated with the session
        
                - name: cpu
                  type: integer
                  description: >
                    CPU Usage
        
                - name: craction
                  type: integer
                  description: >
                    Client Reputation Action
        
                - name: criticalcount
                  type: integer
                  description: >
                    Number of critical ratings
        
                - name: crl
                  type: keyword
                  description: >
                    Client Reputation Level
        
                - name: crlevel
                  type: keyword
                  description: >
                    Client Reputation Level
        
                - name: crscore
                  type: integer
                  description: >
                    Some description
        
                - name: cveid
                  type: keyword
                  description: >
                    CVE ID
        
                - name: daemon
                  type: keyword
                  description: >
                    Daemon name
        
                - name: datarange
                  type: keyword
                  description: >
                    Data range for reports
        
                - name: date
                  type: keyword
                  description: >
                    Date
        
                - name: ddnsserver
                  type: ip
                  description: >
                    DDNS server
        
                - name: desc
                  type: keyword
                  description: >
                    Description
        
                - name: detectionmethod
                  type: keyword
                  description: >
                    Detection method
        
                - name: devcategory
                  type: keyword
                  description: >
                    Device category
        
                - name: devintfname
                  type: keyword
                  description: >
                    HA device Interface Name
        
                - name: devtype
                  type: keyword
                  description: >
                    Device type
        
                - name: dhcp_msg
                  type: keyword
                  description: >
                    DHCP Message
        
                - name: dintf
                  type: keyword
                  description: >
                    Destination interface
        
                - name: disk
                  type: keyword
                  description: >
                    Assosciated disk
        
                - name: disklograte
                  type: long
                  description: >
                    Disk logging rate
        
                - name: dlpextra
                  type: keyword
                  description: >
                    DLP extra information
        
                - name: docsource
                  type: keyword
                  description: >
                    DLP fingerprint document source
        
                - name: domainctrlauthstate
                  type: integer
                  description: >
                    CIFS domain auth state
        
                - name: domainctrlauthtype
                  type: integer
                  description: >
                    CIFS domain auth type
        
                - name: domainctrldomain
                  type: keyword
                  description: >
                    CIFS domain auth domain
        
                - name: domainctrlip
                  type: ip
                  description: >
                    CIFS Domain IP
        
                - name: domainctrlname
                  type: keyword
                  description: >
                    CIFS Domain name
        
                - name: domainctrlprotocoltype
                  type: integer
                  description: >
                    CIFS Domain connection protocol
        
                - name: domainctrlusername
                  type: keyword
                  description: >
                    CIFS Domain username
        
                - name: domainfilteridx
                  type: integer
                  description: >
                    Domain filter ID
        
                - name: domainfilterlist
                  type: keyword
                  description: >
                    Domain filter name
        
                - name: ds
                  type: keyword
                  description: >
                    Direction with distribution system
        
                - name: dst_int
                  type: keyword
                  description: >
                    Destination interface
        
                - name: dstintfrole
                  type: keyword
                  description: >
                    Destination interface role
        
                - name: dstcountry
                  type: keyword
                  description: >
                    Destination country
        
                - name: dstdevcategory
                  type: keyword
                  description: >
                    Destination device category
        
                - name: dstdevtype
                  type: keyword
                  description: >
                    Destination device type
        
                - name: dstfamily
                  type: keyword
                  description: >
                    Destination OS family
        
                - name: dsthwvendor
                  type: keyword
                  description: >
                    Destination HW vendor
        
                - name: dsthwversion
                  type: keyword
                  description: >
                    Destination HW version
        
                - name: dstinetsvc
                  type: keyword
                  description: >
                    Destination interface service
        
                - name: dstosname
                  type: keyword
                  description: >
                    Destination OS name
        
                - name: dstosversion
                  type: keyword
                  description: >
                    Destination OS version
        
                - name: dstserver
                  type: integer
                  description: >
                    Destination server
        
                - name: dstssid
                  type: keyword
                  description: >
                    Destination SSID
        
                - name: dstswversion
                  type: keyword
                  description: >
                    Destination software version
        
                - name: dstunauthusersource
                  type: keyword
                  description: >
                    Destination unauthenticated source
        
                - name: dstuuid
                  type: keyword
                  description: >
                    UUID of the Destination IP address
        
                - name: duid
                  type: keyword
                  description: >
                    DHCP UID
        
                - name: eapolcnt
                  type: integer
                  description: >
                    EAPOL packet count
        
                - name: eapoltype
                  type: keyword
                  description: >
                    EAPOL packet type
        
                - name: encrypt
                  type: integer
                  description: >
                    Whether the packet is encrypted or not
        
                - name: encryption
                  type: keyword
                  description: >
                    Encryption method
        
                - name: epoch
                  type: integer
                  description: >
                    Epoch used for locating file
        
                - name: espauth
                  type: keyword
                  description: >
                    ESP Authentication
        
                - name: esptransform
                  type: keyword
                  description: >
                    ESP Transform
        
                - name: eventtype
                  type: keyword
                  description: >
                    UTM Event Type
        
                - name: exch
                  type: keyword
                  description: >
                    Mail Exchanges from DNS response answer section
        
                - name: exchange
                  type: keyword
                  description: >
                    Mail Exchanges from DNS response answer section
        
                - name: expectedsignature
                  type: keyword
                  description: >
                    Expected SSL signature
        
                - name: expiry
                  type: keyword
                  description: >
                    FortiGuard override expiry timestamp
        
                - name: fams_pause
                  type: integer
                  description: >
                    Fortinet Analysis and Management Service Pause
        
                - name: fazlograte
                  type: long
                  description: >
                    FortiAnalyzer Logging Rate
        
                - name: fctemssn
                  type: keyword
                  description: >
                    FortiClient Endpoint SSN
        
                - name: fctuid
                  type: keyword
                  description: >
                    FortiClient UID
        
                - name: field
                  type: keyword
                  description: >
                    NTP status field
        
                - name: filefilter
                  type: keyword
                  description: >
                    The filter used to identify the affected file
        
                - name: filehashsrc
                  type: keyword
                  description: >
                    Filehash source
        
                - name: filtercat
                  type: keyword
                  description: >
                    DLP filter category
        
                - name: filteridx
                  type: integer
                  description: >
                    DLP filter ID
        
                - name: filtername
                  type: keyword
                  description: >
                    DLP rule name
        
                - name: filtertype
                  type: keyword
                  description: >
                    DLP filter type
        
                - name: fortiguardresp
                  type: keyword
                  description: >
                    Antispam ESP value
        
                - name: forwardedfor
                  type: keyword
                  description: >
                    Email address forwarded
        
                - name: fqdn
                  type: keyword
                  description: >
                    FQDN
        
                - name: frametype
                  type: keyword
                  description: >
                    Wireless frametype
        
                - name: freediskstorage
                  type: integer
                  description: >
                    Free disk integer
        
                - name: from
                  type: keyword
                  description: >
                    From email address
        
                - name: from_vcluster
                  type: integer
                  description: >
                    Source virtual cluster number
        
                - name: fsaverdict
                  type: keyword
                  description: >
                    FSA verdict
        
                - name: fwserver_name
                  type: keyword
                  description: >
                    Web proxy server name
        
                - name: gateway
                  type: ip
                  description: >
                    Gateway ip address for PPPoE status report
        
                - name: green
                  type: keyword
                  description: >
                    Memory status
        
                - name: groupid
                  type: integer
                  description: >
                    User Group ID
        
                - name: ha-prio
                  type: integer
                  description: >
                    HA Priority
        
                - name: ha_group
                  type: keyword
                  description: >
                    HA Group
        
                - name: ha_role
                  type: keyword
                  description: >
                    HA Role
        
                - name: handshake
                  type: keyword
                  description: >
                    SSL Handshake
        
                - name: hash
                  type: keyword
                  description: >
                    Hash value of downloaded file
        
                - name: hbdn_reason
                  type: keyword
                  description: >
                    Heartbeat down reason
        
                - name: highcount
                  type: integer
                  description: >
                    Highcount fabric summary
        
                - name: host
                  type: keyword
                  description: >
                    Hostname
        
                - name: iaid
                  type: keyword
                  description: >
                    DHCPv6 id
        
                - name: icmpcode
                  type: keyword
                  description: >
                    Destination Port of the ICMP message
        
                - name: icmpid
                  type: keyword
                  description: >
                    Source port of the ICMP message
        
                - name: icmptype
                  type: keyword
                  description: >
                    The type of ICMP message
        
                - name: identifier
                  type: integer
                  description: >
                    Network traffic identifier
        
                - name: in_spi
                  type: keyword
                  description: >
                    IPSEC inbound SPI
        
                - name: incidentserialno
                  type: integer
                  description: >
                    Incident serial number
        
                - name: infected
                  type: integer
                  description: >
                    Infected MMS
        
                - name: infectedfilelevel
                  type: integer
                  description: >
                    DLP infected file level
        
                - name: informationsource
                  type: keyword
                  description: >
                    Information source
        
                - name: init
                  type: keyword
                  description: >
                    IPSEC init stage
        
                - name: initiator
                  type: keyword
                  description: >
                    Original login user name for Fortiguard override
        
                - name: interface
                  type: keyword
                  description: >
                    Related interface
        
                - name: intf
                  type: keyword
                  description: >
                    Related interface
        
                - name: invalidmac
                  type: keyword
                  description: >
                    The MAC address with invalid OUI
        
                - name: ip
                  type: ip
                  description: >
                    Related IP
        
                - name: iptype
                  type: keyword
                  description: >
                    Related IP type
        
                - name: keyword
                  type: keyword
                  description: >
                    Keyword used for search
        
                - name: kind
                  type: keyword
                  description: >
                    VOIP kind
        
                - name: lanin
                  type: long
                  description: >
                    LAN incoming traffic in bytes
        
                - name: lanout
                  type: long
                  description: >
                    LAN outbound traffic in bytes
        
                - name: lease
                  type: integer
                  description: >
                    DHCP lease
        
                - name: license_limit
                  type: keyword
                  description: >
                    Maximum Number of FortiClients for the License
        
                - name: limit
                  type: integer
                  description: >
                    Virtual Domain Resource Limit
        
                - name: line
                  type: keyword
                  description: >
                    VOIP line
        
                - name: live
                  type: integer
                  description: >
                    Time in seconds
        
                - name: local
                  type: ip
                  description: >
                    Local IP for a PPPD Connection
        
                - name: log
                  type: keyword
                  description: >
                    Log message
        
                - name: login
                  type: keyword
                  description: >
                    SSH login
        
                - name: lowcount
                  type: integer
                  description: >
                    Fabric lowcount
        
                - name: mac
                  type: keyword
                  description: >
                    DHCP mac address
        
                - name: malform_data
                  type: integer
                  description: >
                    VOIP malformed data
        
                - name: malform_desc
                  type: keyword
                  description: >
                    VOIP malformed data description
        
                - name: manuf
                  type: keyword
                  description: >
                    Manufacturer name
        
                - name: masterdstmac
                  type: keyword
                  description: >
                    Master mac address for a host with multiple network interfaces
        
                - name: mastersrcmac
                  type: keyword
                  description: >
                    The master MAC address for a host that has multiple network interfaces
        
                - name: mediumcount
                  type: integer
                  description: >
                    Fabric medium count
        
                - name: mem
                  type: integer
                  description: >
                    Memory usage system statistics
        
                - name: meshmode
                  type: keyword
                  description: >
                    Wireless mesh mode
        
                - name: message_type
                  type: keyword
                  description: >
                    VOIP message type
        
                - name: method
                  type: keyword
                  description: >
                    HTTP method
        
                - name: mgmtcnt
                  type: integer
                  description: >
                    The number of unauthorized client flooding managemet frames
        
                - name: mode
                  type: keyword
                  description: >
                    IPSEC mode
        
                - name: module
                  type: keyword
                  description: >
                    PCI-DSS module
        
                - name: monitor-name
                  type: keyword
                  description: >
                    Health Monitor Name
        
                - name: monitor-type
                  type: keyword
                  description: >
                    Health Monitor Type
        
                - name: mpsk
                  type: keyword
                  description: >
                    Wireless MPSK
        
                - name: msgproto
                  type: keyword
                  description: >
                    Message Protocol Number
        
                - name: mtu
                  type: integer
                  description: >
                    Max Transmission Unit Value
        
                - name: name
                  type: keyword
                  description: >
                    Name
        
                - name: nat
                  type: keyword
                  description: >
                    NAT IP Address
        
                - name: netid
                  type: keyword
                  description: >
                    Connector NetID
        
                - name: new_status
                  type: keyword
                  description: >
                    New status on user change
        
                - name: new_value
                  type: keyword
                  description: >
                    New Virtual Domain Name
        
                - name: newchannel
                  type: integer
                  description: >
                    New Channel Number
        
                - name: newchassisid
                  type: integer
                  description: >
                    New Chassis ID
        
                - name: newslot
                  type: integer
                  description: >
                    New Slot Number
        
                - name: nextstat
                  type: integer
                  description: >
                    Time interval in seconds for the next statistics.
        
                - name: nf_type
                  type: keyword
                  description: >
                    Notification Type
        
                - name: noise
                  type: integer
                  description: >
                    Wifi Noise
        
                - name: old_status
                  type: keyword
                  description: >
                    Original Status
        
                - name: old_value
                  type: keyword
                  description: >
                    Original Virtual Domain name
        
                - name: oldchannel
                  type: integer
                  description: >
                    Original channel
        
                - name: oldchassisid
                  type: integer
                  description: >
                    Original Chassis Number
        
                - name: oldslot
                  type: integer
                  description: >
                    Original Slot Number
        
                - name: oldsn
                  type: keyword
                  description: >
                    Old Serial number
        
                - name: oldwprof
                  type: keyword
                  description: >
                    Old Web Filter Profile
        
                - name: onwire
                  type: keyword
                  description: >
                    A flag to indicate if the AP is onwire or not
        
                - name: opercountry
                  type: keyword
                  description: >
                    Operating Country
        
                - name: opertxpower
                  type: integer
                  description: >
                    Operating TX power
        
                - name: osname
                  type: keyword
                  description: >
                    Operating System name
        
                - name: osversion
                  type: keyword
                  description: >
                    Operating System version
        
                - name: out_spi
                  type: keyword
                  description: >
                    Out SPI
        
                - name: outintf
                  type: keyword
                  description: >
                    Out interface
        
                - name: passedcount
                  type: integer
                  description: >
                    Fabric passed count
        
                - name: passwd
                  type: keyword
                  description: >
                    Changed user password information
        
                - name: path
                  type: keyword
                  description: >
                    Path of looped configuration for security fabric
        
                - name: peer
                  type: keyword
                  description: >
                    WAN optimization peer
        
                - name: peer_notif
                  type: keyword
                  description: >
                    VPN peer notification
        
                - name: phase2_name
                  type: keyword
                  description: >
                    VPN phase2 name
        
                - name: phone
                  type: keyword
                  description: >
                    VOIP Phone
        
                - name: pid
                  type: integer
                  description: >
                    Process ID
        
                - name: policytype
                  type: keyword
                  description: >
                    Policy Type
        
                - name: poolname
                  type: keyword
                  description: >
                    IP Pool name
        
                - name: port
                  type: integer
                  description: >
                    Log upload error port
        
                - name: portbegin
                  type: integer
                  description: >
                    IP Pool port number to begin
        
                - name: portend
                  type: integer
                  description: >
                    IP Pool port number to end
        
                - name: probeproto
                  type: keyword
                  description: >
                    Link Monitor Probe Protocol
        
                - name: process
                  type: keyword
                  description: >
                    URL Filter process
        
                - name: processtime
                  type: integer
                  description: >
                    Process time for reports
        
                - name: profile
                  type: keyword
                  description: >
                    Profile Name
        
                - name: profile_vd
                  type: keyword
                  description: >
                    Virtual Domain Name
        
                - name: profilegroup
                  type: keyword
                  description: >
                    Profile Group Name
        
                - name: profiletype
                  type: keyword
                  description: >
                    Profile Type
        
                - name: qtypeval
                  type: integer
                  description: >
                    DNS question type value
        
                - name: quarskip
                  type: keyword
                  description: >
                    Quarantine skip explanation
        
                - name: quotaexceeded
                  type: keyword
                  description: >
                    If quota has been exceeded
        
                - name: quotamax
                  type: long
                  description: >
                    Maximum quota allowed - in seconds if time-based - in bytes if traffic-based
        
                - name: quotatype
                  type: keyword
                  description: >
                    Quota type
        
                - name: quotaused
                  type: long
                  description: >
                    Quota used - in seconds if time-based - in bytes if trafficbased)
        
                - name: radioband
                  type: keyword
                  description: >
                    Radio band
        
                - name: radioid
                  type: integer
                  description: >
                    Radio ID
        
                - name: radioidclosest
                  type: integer
                  description: >
                    Radio ID on the AP closest the rogue AP
        
                - name: radioiddetected
                  type: integer
                  description: >
                    Radio ID on the AP which detected the rogue AP
        
                - name: rate
                  type: keyword
                  description: >
                    Wireless rogue rate value
        
                - name: rawdata
                  type: keyword
                  description: >
                    Raw data value
        
                - name: rawdataid
                  type: keyword
                  description: >
                    Raw data ID
        
                - name: rcvddelta
                  type: keyword
                  description: >
                    Received bytes delta
        
                - name: reason
                  type: keyword
                  description: >
                    Alert reason
        
                - name: received
                  type: integer
                  description: >
                    Server key exchange received
        
                - name: receivedsignature
                  type: keyword
                  description: >
                    Server key exchange received signature
        
                - name: red
                  type: keyword
                  description: >
                    Memory information in red
        
                - name: referralurl
                  type: keyword
                  description: >
                    Web filter referralurl
        
                - name: remote
                  type: ip
                  description: >
                    Remote PPP IP address
        
                - name: remotewtptime
                  type: keyword
                  description: >
                    Remote Wifi Radius authentication time
        
                - name: reporttype
                  type: keyword
                  description: >
                    Report type
        
                - name: reqtype
                  type: keyword
                  description: >
                    Request type
        
                - name: request_name
                  type: keyword
                  description: >
                    VOIP request name
        
                - name: result
                  type: keyword
                  description: >
                    VPN phase result
        
                - name: role
                  type: keyword
                  description: >
                    VPN Phase 2 role
        
                - name: rssi
                  type: integer
                  description: >
                    Received signal strength indicator
        
                - name: rsso_key
                  type: keyword
                  description: >
                    RADIUS SSO attribute value
        
                - name: ruledata
                  type: keyword
                  description: >
                    Rule data
        
                - name: ruletype
                  type: keyword
                  description: >
                    Rule type
        
                - name: scanned
                  type: integer
                  description: >
                    Number of Scanned MMSs
        
                - name: scantime
                  type: long
                  description: >
                    Scanned time
        
                - name: scope
                  type: keyword
                  description: >
                    FortiGuard Override Scope
        
                - name: security
                  type: keyword
                  description: >
                    Wireless rogue security
        
                - name: sensitivity
                  type: keyword
                  description: >
                    Sensitivity for document fingerprint
        
                - name: sensor
                  type: keyword
                  description: >
                    NAC Sensor Name
        
                - name: sentdelta
                  type: keyword
                  description: >
                    Sent bytes delta
        
                - name: seq
                  type: keyword
                  description: >
                    Sequence number
        
                - name: serial
                  type: keyword
                  description: >
                    WAN optimisation serial
        
                - name: serialno
                  type: keyword
                  description: >
                    Serial number
        
                - name: server
                  type: keyword
                  description: >
                    AD server FQDN or IP
        
                - name: session_id
                  type: keyword
                  description: >
                    Session ID
        
                - name: sessionid
                  type: integer
                  description: >
                    WAD Session ID
        
                - name: setuprate
                  type: long
                  description: >
                    Session Setup Rate
        
                - name: severity
                  type: keyword
                  description: >
                    Severity
        
                - name: shaperdroprcvdbyte
                  type: integer
                  description: >
                    Received bytes dropped by shaper
        
                - name: shaperdropsentbyte
                  type: integer
                  description: >
                    Sent bytes dropped by shaper
        
                - name: shaperperipdropbyte
                  type: integer
                  description: >
                    Dropped bytes per IP by shaper
        
                - name: shaperperipname
                  type: keyword
                  description: >
                    Traffic shaper name (per IP)
        
                - name: shaperrcvdname
                  type: keyword
                  description: >
                    Traffic shaper name for received traffic
        
                - name: shapersentname
                  type: keyword
                  description: >
                    Traffic shaper name for sent traffic
        
                - name: shapingpolicyid
                  type: integer
                  description: >
                    Traffic shaper policy ID
        
                - name: signal
                  type: integer
                  description: >
                    Wireless rogue API signal
        
                - name: size
                  type: long
                  description: >
                    Email size in bytes
        
                - name: slot
                  type: integer
                  description: >
                    Slot number
        
                - name: sn
                  type: keyword
                  description: >
                    Security fabric serial number
        
                - name: snclosest
                  type: keyword
                  description: >
                    SN of the AP closest to the rogue AP
        
                - name: sndetected
                  type: keyword
                  description: >
                    SN of the AP which detected the rogue AP
        
                - name: snmeshparent
                  type: keyword
                  description: >
                    SN of the mesh parent
        
                - name: spi
                  type: keyword
                  description: >
                    IPSEC SPI
        
                - name: src_int
                  type: keyword
                  description: >
                    Source interface
        
                - name: srcintfrole
                  type: keyword
                  description: >
                    Source interface role
        
                - name: srccountry
                  type: keyword
                  description: >
                    Source country
        
                - name: srcfamily
                  type: keyword
                  description: >
                    Source family
        
                - name: srchwvendor
                  type: keyword
                  description: >
                    Source hardware vendor
        
                - name: srchwversion
                  type: keyword
                  description: >
                    Source hardware version
        
                - name: srcinetsvc
                  type: keyword
                  description: >
                    Source interface service
        
                - name: srcname
                  type: keyword
                  description: >
                    Source name
        
                - name: srcserver
                  type: integer
                  description: >
                    Source server
        
                - name: srcssid
                  type: keyword
                  description: >
                    Source SSID
        
                - name: srcswversion
                  type: keyword
                  description: >
                    Source software version
        
                - name: srcuuid
                  type: keyword
                  description: >
                    Source UUID
        
                - name: sscname
                  type: keyword
                  description: >
                    SSC name
        
                - name: ssid
                  type: keyword
                  description: >
                    Base Service Set ID
        
                - name: sslaction
                  type: keyword
                  description: >
                    SSL Action
        
                - name: ssllocal
                  type: keyword
                  description: >
                    WAD SSL local
        
                - name: sslremote
                  type: keyword
                  description: >
                    WAD SSL remote
        
                - name: stacount
                  type: integer
                  description: >
                    Number of stations/clients
        
                - name: stage
                  type: keyword
                  description: >
                    IPSEC stage
        
                - name: stamac
                  type: keyword
                  description: >
                    802.1x station mac
        
                - name: state
                  type: keyword
                  description: >
                    Admin login state
        
                - name: status
                  type: keyword
                  description: >
                    Status
        
                - name: stitch
                  type: keyword
                  description: >
                    Automation stitch triggered
        
                - name: subject
                  type: keyword
                  description: >
                    Email subject
        
                - name: submodule
                  type: keyword
                  description: >
                    Configuration Sub-Module Name
        
                - name: subservice
                  type: keyword
                  description: >
                    AV subservice
        
                - name: subtype
                  type: keyword
                  description: >
                    Log subtype
        
                - name: suspicious
                  type: integer
                  description: >
                    Number of Suspicious MMSs
        
                - name: switchproto
                  type: keyword
                  description: >
                    Protocol change information
        
                - name: sync_status
                  type: keyword
                  description: >
                    The sync status with the master
        
                - name: sync_type
                  type: keyword
                  description: >
                    The sync type with the master
        
                - name: sysuptime
                  type: keyword
                  description: >
                    System uptime
        
                - name: tamac
                  type: keyword
                  description: >
                    the MAC address of Transmitter, if none, then Receiver
        
                - name: threattype
                  type: keyword
                  description: >
                    WIDS threat type
        
                - name: time
                  type: keyword
                  description: >
                    Time of the event
        
                - name: to
                  type: keyword
                  description: >
                    Email to field
        
                - name: to_vcluster
                  type: integer
                  description: >
                    destination virtual cluster number
        
                - name: total
                  type: integer
                  description: >
                    Total memory
        
                - name: totalsession
                  type: integer
                  description: >
                    Total Number of Sessions
        
                - name: trace_id
                  type: keyword
                  description: >
                    Session clash trace ID
        
                - name: trandisp
                  type: keyword
                  description: >
                    NAT translation type
        
                - name: transid
                  type: integer
                  description: >
                    HTTP transaction ID
        
                - name: translationid
                  type: keyword
                  description: >
                    DNS filter transaltion ID
        
                - name: trigger
                  type: keyword
                  description: >
                    Automation stitch trigger
        
                - name: trueclntip
                  type: ip
                  description: >
                    File filter true client IP
        
                - name: tunnelid
                  type: integer
                  description: >
                    IPSEC tunnel ID
        
                - name: tunnelip
                  type: ip
                  description: >
                    IPSEC tunnel IP
        
                - name: tunneltype
                  type: keyword
                  description: >
                    IPSEC tunnel type
        
                - name: type
                  type: keyword
                  description: >
                    Module type
        
                - name: ui
                  type: keyword
                  description: >
                    Admin authentication UI type
        
                - name: unauthusersource
                  type: keyword
                  description: >
                    Unauthenticated user source
        
                - name: unit
                  type: integer
                  description: >
                    Power supply unit
        
                - name: urlfilteridx
                  type: integer
                  description: >
                    URL filter ID
        
                - name: urlfilterlist
                  type: keyword
                  description: >
                    URL filter list
        
                - name: urlsource
                  type: keyword
                  description: >
                    URL filter source
        
                - name: urltype
                  type: keyword
                  description: >
                    URL filter type
        
                - name: used
                  type: integer
                  description: >
                    Number of Used IPs
        
                - name: used_for_type
                  type: integer
                  description: >
                    Connection for the type
        
                - name: utmaction
                  type: keyword
                  description: >
                    Security action performed by UTM
        
                - name: utmref
                  type: keyword
                  description: >
                    Reference to UTM
        
                - name: vap
                  type: keyword
                  description: >
                    Virtual AP
        
                - name: vapmode
                  type: keyword
                  description: >
                    Virtual AP mode
        
                - name: vcluster
                  type: integer
                  description: >
                    virtual cluster id
        
                - name: vcluster_member
                  type: integer
                  description: >
                    Virtual cluster member
        
                - name: vcluster_state
                  type: keyword
                  description: >
                    Virtual cluster state
        
                - name: vd
                  type: keyword
                  description: >
                    Virtual Domain Name
        
                - name: vdname
                  type: keyword
                  description: >
                    Virtual Domain Name
        
                - name: vendorurl
                  type: keyword
                  description: >
                    Vulnerability scan vendor name
        
                - name: version
                  type: keyword
                  description: >
                    Version
        
                - name: vip
                  type: keyword
                  description: >
                    Virtual IP
        
                - name: virus
                  type: keyword
                  description: >
                    Virus name
        
                - name: virusid
                  type: integer
                  description: >
                    Virus ID (unique virus identifier)
        
                - name: voip_proto
                  type: keyword
                  description: >
                    VOIP protocol
        
                - name: vpn
                  type: keyword
                  description: >
                    VPN description
        
                - name: vpntunnel
                  type: keyword
                  description: >
                    IPsec Vpn Tunnel Name
        
                - name: vpntype
                  type: keyword
                  description: >
                    The type of the VPN tunnel
        
                - name: vrf
                  type: integer
                  description: >
                    VRF number
        
                - name: vulncat
                  type: keyword
                  description: >
                    Vulnerability Category
        
                - name: vulnid
                  type: integer
                  description: >
                    Vulnerability ID
        
                - name: vulnname
                  type: keyword
                  description: >
                    Vulnerability name
        
                - name: vwlid
                  type: integer
                  description: >
                    VWL ID
        
                - name: vwlquality
                  type: keyword
                  description: >
                    VWL quality
        
                - name: vwlservice
                  type: keyword
                  description: >
                    VWL service
        
                - name: vwpvlanid
                  type: integer
                  description: >
                    VWP VLAN ID
        
                - name: wanin
                  type: long
                  description: >
                    WAN incoming traffic in bytes
        
                - name: wanoptapptype
                  type: keyword
                  description: >
                    WAN Optimization Application type
        
                - name: wanout
                  type: long
                  description: >
                    WAN outgoing traffic in bytes
        
                - name: weakwepiv
                  type: keyword
                  description: >
                    Weak Wep Initiation Vector
        
                - name: xauthgroup
                  type: keyword
                  description: >
                    XAuth Group Name
        
                - name: xauthuser
                  type: keyword
                  description: >
                    XAuth User Name
        
                - name: xid
                  type: integer
                  description: >
                    Wireless X ID
        
        
        
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: gcp
  title: Google Cloud Platform (GCP)
  description: >
    Module for handling logs from Google Cloud.
  fields:
    - name: gcp
      type: group
      description: >
        Fields from Google Cloud logs.
      fields:
        - name: destination.instance
          type: group
          description: >
            If the destination of the connection was a VM located on the same VPC,
            this field is populated with VM instance details. In a Shared VPC
            configuration, project_id corresponds to the project that owns the
            instance, usually the service project.
          fields:
            - name: project_id
              type: keyword
              description: >
                ID of the project containing the VM.

            - name: region
              type: keyword
              description: >
                Region of the VM.

            - name: zone
              type: keyword
              description: >
                Zone of the VM.

        - name: destination.vpc
          type: group
          description: >
            If the destination of the connection was a VM located on the same VPC,
            this field is populated with VPC network details. In a Shared VPC
            configuration, project_id corresponds to that of the host project.
          fields:
            - name: project_id
              type: keyword
              description: >
                ID of the project containing the VM.

            - name: vpc_name
              type: keyword
              description: >
                VPC on which the VM is operating.

            - name: subnetwork_name
              type: keyword
              description: >
                Subnetwork on which the VM is operating.

        - name: source.instance
          type: group
          description: >
            If the source of the connection was a VM located on the same VPC, this
            field is populated with VM instance details. In a Shared VPC
            configuration, project_id corresponds to the project that owns the
            instance, usually the service project.
          fields:
            - name: project_id
              type: keyword
              description: >
                ID of the project containing the VM.

            - name: region
              type: keyword
              description: >
                Region of the VM.

            - name: zone
              type: keyword
              description: >
                Zone of the VM.

        - name: source.vpc
          type: group
          description: >
            If the source of the connection was a VM located on the same VPC, this
            field is populated with VPC network details. In a Shared VPC
            configuration, project_id corresponds to that of the host project.
          fields:
            - name: project_id
              type: keyword
              description: >
                ID of the project containing the VM.

            - name: vpc_name
              type: keyword
              description: >
                VPC on which the VM is operating.

            - name: subnetwork_name
              type: keyword
              description: >
                Subnetwork on which the VM is operating.
        - name: audit
          type: group
          description: >
            Fields for Google Cloud audit logs.
          fields:
          - name: type
            type: keyword
            description: >
              Type property.
          - name: authentication_info
            type: group
            description: >
              Authentication information. 
            fields:
            - name: principal_email
              type: keyword
              description: >
                The email address of the authenticated user making the request. 
            - name: authority_selector
              type: keyword
              description: >
                The authority selector specified by the requestor, if any. It is not guaranteed 
                that the principal was allowed to use this authority. 
          - name: authorization_info
            type: array
            description: >
              Authorization information for the operation.
            fields:
            - name: permission
              type: keyword
              description: >
                The required IAM permission. 
            - name: granted
              type: boolean
              description: >
                Whether or not authorization for resource and permission was granted. 
            - name: resource_attributes
              type: group
              description: >
                The attributes of the resource.
              fields:
              - name: service
                type: keyword
                description: >
                  The name of the service.
              - name: name
                type: keyword
                description: >
                  The name of the resource.
              - name: type
                type: keyword
                description: >
                  The type of the resource.
          - name: method_name
            type: keyword
            description: >
              The name of the service method or operation. For API calls, this 
              should be the name of the API method. 
              For example, 'google.datastore.v1.Datastore.RunQuery'.
          - name: num_response_items
            type: long
            description: >
              The number of items returned from a List or Query API method, if applicable.
          - name: request
            type: group
            description: >
              The operation request.
            fields:
            - name: proto_name
              type: keyword
              description: >
                Type property of the request.
            - name: filter
              type: keyword
              description: >
                Filter of the request.
            - name: name
              type: keyword
              description: >
                Name of the request. 
            - name: resource_name
              type: keyword
              description: >
                Name of the request resource. 
          - name: request_metadata
            type: group
            description: >
              Metadata about the request.
            fields:
            - name: caller_ip
              type: ip
              description: >
                The IP address of the caller. 
            - name: caller_supplied_user_agent
              type: keyword
              description: >
                The user agent of the caller. This information is not authenticated and 
                should be treated accordingly.
          - name: response
            type: group
            description: >
              The operation response.
            fields:
            - name: proto_name
              type: keyword
              description: >
                Type property of the response.
            - name: details
              type: group
              description: >
                The details of the response.
              fields:
              - name: group
                type: keyword
                description: >
                  The name of the group.
              - name: kind
                type: keyword
                description: >
                  The kind of the response details.
              - name: name
                type: keyword
                description: >
                  The name of the response details.
              - name: uid
                type: keyword
                description: >
                  The uid of the response details.
            - name: status
              type: keyword
              description: >
               Status of the response. 
          - name: resource_name
            type: keyword
            description: >
              The resource or collection that is the target of the operation. 
              The name is a scheme-less URI, not including the API service name. 
              For example, 'shelves/SHELF_ID/books'.
          - name: resource_location
            type: group
            description: >
              The location of the resource.
            fields:
            - name: current_locations
              type: keyword
              description: >
                Current locations of the resource.
          - name: service_name
            type: keyword
            description: >
              The name of the API service performing the operation. 
              For example, datastore.googleapis.com.
          - name: status
            type: group
            description: >
              The status of the overall operation. 
            fields:
            - name: code
              type: integer
              description: >
                The status code, which should be an enum value of google.rpc.Code. 
            - name: message
              type: keyword
              description: >
                A developer-facing error message, which should be in English. Any user-facing 
                error message should be localized and sent in the google.rpc.Status.details 
                field, or localized by the client. 
        - name: firewall
          type: group
          description: >
            Fields for Google Cloud Firewall logs.
          fields:
          - name: rule_details
            type: group
            description: >
              Description of the firewall rule that matched this connection.
            fields:
              - name: priority
                type: long
                description: The priority for the firewall rule.
              - name: action
                type: keyword
                description: Action that the rule performs on match.
              - name: direction
                type: keyword
                description: Direction of traffic that matches this rule.
              - name: reference
                type: keyword
                description: Reference to the firewall rule.
              - name: source_range
                type: keyword
                description: List of source ranges that the firewall rule applies to.
              - name: destination_range
                type: keyword
                description: List of destination ranges that the firewall applies to.
              - name: source_tag
                type: keyword
                description: >
                  List of all the source tags that the firewall rule applies to.
              - name: target_tag
                type: keyword
                description: >
                  List of all the target tags that the firewall rule applies to.
              - name: ip_port_info
                type: array
                description: >
                  List of ip protocols and applicable port ranges for rules.
              - name: source_service_account
                type: keyword
                description: >
                  List of all the source service accounts that the firewall rule applies to.
              - name: target_service_account
                type: keyword
                description: >
                  List of all the target service accounts that the firewall rule applies to.
        - name: vpcflow
          type: group
          description: >
            Fields for Google Cloud VPC flow logs.
          fields:
          - name: reporter
            type: keyword
            description: >
              The side which reported the flow. Can be either 'SRC' or 'DEST'.
        
          - name: rtt.ms
            type: long
            description: >
              Latency as measured (for TCP flows only) during the time interval. This is
              the time elapsed between sending a SEQ and receiving a corresponding ACK
              and it contains the network RTT as well as the application related delay.
- key: google_workspace
  title: "google_workspace"
  description: >
    Google Workspace Module
  fields:
    - name: google_workspace
      type: group
      description: >
        Google Workspace specific fields.

        More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list
      fields:
        - name: actor.type
          type: keyword
          description: >
            The type of actor.

            Values can be:
              *USER*: Another user in the same domain.
              *EXTERNAL_USER*: A user outside the domain.
              *KEY*: A non-human actor.
        - name: actor.key
          type: keyword
          description: >
            Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts.
        - name: event.type
          type: keyword
          description: >
            The type of Google Workspace event, mapped from `items[].events[].type` in the original payload.
            Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list
          example: audit#activity
        - name: kind
          type: keyword
          description: >
            The type of API resource, mapped from `kind` in the original payload.
            More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list
          example: audit#activity
        - name: organization.domain
          type: keyword
          description: >
              The domain that is affected by the report's event.
        - name: admin
          type: group
          fields:
            - name: application.edition
              type: keyword
              description: The Google Workspace edition.
            - name: application.name
              type: keyword
              description: The application's name.
            - name: application.enabled
              type: keyword
              description: The enabled application.
            - name: application.licences_order_number
              type: keyword
              description: Order number used to redeem licenses.
            - name: application.licences_purchased
              type: keyword
              description: Number of licences purchased.
            - name: application.id
              type: keyword
              description: The application ID.
            - name: application.asp_id
              type: keyword
              description: The application specific password ID.
            - name: application.package_id
              type: keyword
              description: The mobile application package ID.
            - name: group.email
              type: keyword
              description: The group's primary email address.
            - name: new_value
              type: keyword
              description: The new value for the setting.
            - name: old_value
              type: keyword
              description: The old value for the setting.
            - name: org_unit.name
              type: keyword
              description: The organizational unit name.
            - name: org_unit.full
              type: keyword
              description: The org unit full path including the root org unit name.
            - name: setting.name
              type: keyword
              description: The setting name.
            - name: user_defined_setting.name
              type: keyword
              description: The name of the user-defined setting.
            - name: setting.description
              type: keyword
              description: The setting name.
            - name: group.priorities
              type: keyword
              description: Group priorities.
            - name: domain.alias
              type: keyword
              description: The domain alias.
            - name: domain.name
              type: keyword
              description: The primary domain name.
            - name: domain.secondary_name
              type: keyword
              description: The secondary domain name.
            - name: managed_configuration
              type: keyword
              description: The name of the managed configuration.
            - name: non_featured_services_selection
              type: keyword
              description: >
                Non-featured services selection.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED
            - name: field
              type: keyword
              description: The name of the field.
            - name: resource.id
              type: keyword
              description: The name of the resource identifier.
            - name: user.email
              type: keyword
              description: The user's primary email address.
            - name: user.nickname
              type: keyword
              description: The user's nickname.
            - name: user.birthdate
              type: date
              description: The user's birth date.
            - name: gateway.name
              type: keyword
              description: Gateway name. Present on some chat settings.
            - name: chrome_os.session_type
              type: keyword
              description: Chrome OS session type.
            - name: device.serial_number
              type: keyword
              description: Device serial number.
            - name: device.id
              type: keyword
            - name: device.type
              type: keyword
              description: Device type.
            - name: print_server.name
              type: keyword
              description: The name of the print server.
            - name: printer.name
              type: keyword
              description: The name of the printer.
            - name: device.command_details
              type: keyword
              description: Command details.
            - name: role.id
              type: keyword
              description: Unique identifier for this role privilege.
            - name: role.name
              type: keyword
              description: >
                The role name.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
            - name: privilege.name
              type: keyword
              description: Privilege name.
            - name: service.name
              type: keyword
              description: The service name.
            - name: url.name
              type: keyword
              description: The website name.
            - name: product.name
              type: keyword
              description: The product name.
            - name: product.sku
              type: keyword
              description: The product SKU.
            - name: bulk_upload.failed
              type: long
              description: Number of failed records in bulk upload operation.
            - name: bulk_upload.total
              type: long
              description: Number of total records in bulk upload operation.
            - name: group.allowed_list
              type: keyword
              description: Names of allow-listed groups.
            - name: email.quarantine_name
              type: keyword
              description: The name of the quarantine.
            - name: email.log_search_filter.message_id
              type: keyword
              description: The log search filter's email message ID.
            - name: email.log_search_filter.start_date
              type: date
              description: The log search filter's start date.
            - name: email.log_search_filter.end_date
              type: date
              description: The log search filter's ending date.
            - name: email.log_search_filter.recipient.value
              type: keyword
              description: The log search filter's email recipient.
            - name: email.log_search_filter.sender.value
              type: keyword
              description: The log search filter's email sender.
            - name: email.log_search_filter.recipient.ip
              type: ip
              description: The log search filter's email recipient's IP address.
            - name: email.log_search_filter.sender.ip
              type: ip
              description: The log search filter's email sender's IP address.
            - name: chrome_licenses.enabled
              type: keyword
              description: >
                Licences enabled.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings
            - name: chrome_licenses.allowed
              type: keyword
              description: >
                Licences enabled.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings
            - name: oauth2.service.name
              type: keyword
              description: >
                OAuth2 service name.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings
            - name: oauth2.application.id
              type: keyword
              description: OAuth2 application ID.
            - name: oauth2.application.name
              type: keyword
              description: OAuth2 application name.
            - name: oauth2.application.type
              type: keyword
              description: >
                OAuth2 application type.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings
            - name: verification_method
              type: keyword
              description: >
                Related verification method.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and
                https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings
            - name: alert.name
              type: keyword
              description: The alert name.
            - name: rule.name
              type: keyword
              description: The rule name.
            - name: api.client.name
              type: keyword
              description: The API client name.
            - name: api.scopes
              type: keyword
              description: The API scopes.
            - name: mdm.token
              type: keyword
              description: The MDM vendor enrollment token.
            - name: mdm.vendor
              type: keyword
              description: The MDM vendor's name.
            - name: info_type
              type: keyword
              description: >
                This will be used to state what kind of information was changed.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings
            - name: email_monitor.dest_email
              type: keyword
              description: The destination address of the email monitor.
            - name: email_monitor.level.chat
              type: keyword
              description: The chat email monitor level.
            - name: email_monitor.level.draft
              type: keyword
              description: The draft email monitor level.
            - name: email_monitor.level.incoming
              type: keyword
              description: The incoming email monitor level.
            - name: email_monitor.level.outgoing
              type: keyword
              description: The outgoing email monitor level.
            - name: email_dump.include_deleted
              type: boolean
              description: Indicates if deleted emails are included in the export.
            - name: email_dump.package_content
              type: keyword
              description: The contents of the mailbox package.
            - name: email_dump.query
              type: keyword
              description: The search query used for the dump.
            - name: request.id
              type: keyword
              description: The request ID.
            - name: mobile.action.id
              type: keyword
              description: The mobile device action's ID.
            - name: mobile.action.type
              type: keyword
              description: >
                The mobile device action's type.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings
            - name: mobile.certificate.name
              type: keyword
              description: The mobile certificate common name.
            - name: mobile.company_owned_devices
              type: long
              description: The number of devices a company owns.
            - name: distribution.entity.name
              type: keyword
              description: >
                The distribution entity value, which can be a group name or an org-unit name.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings
            - name: distribution.entity.type
              type: keyword
              description: >
                The distribution entity type, which can be a group or an org-unit.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings
        - name: drive
          type: group
          fields:
            - name: billable
              type: boolean
              description: Whether this activity is billable.
            - name: source_folder_id
              type: keyword
            - name: source_folder_title
              type: keyword
            - name: destination_folder_id
              type: keyword
            - name: destination_folder_title
              type: keyword
            - name: file.id
              type: keyword
            - name: file.type
              type: keyword
              description: >
                Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
            - name: originating_app_id
              type: keyword
              description: >
                The Google Cloud Project ID of the application that performed the action.
            - name: file.owner.email
              type: keyword
            - name: file.owner.is_shared_drive
              type: boolean
              description: >
                Boolean flag denoting whether owner is a shared drive.
            - name: primary_event
              type: boolean
              description: >
                Whether this is a primary event. A single user action in Drive may generate several events.
            - name: shared_drive_id
              type: keyword
              description: >
                The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.
            - name: visibility
              type: keyword
              description: >
                Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
            - name: new_value
              type: keyword
              description: >
                When a setting or property of the file changes, the new value for it will appear here.
            - name: old_value
              type: keyword
              description: >
                When a setting or property of the file changes, the old value for it will appear here.
            - name: sheets_import_range_recipient_doc
              type: keyword
              description: Doc ID of the recipient of a sheets import range.
            - name: old_visibility
              type: keyword
              description: >
                When visibility changes, this holds the old value.
            - name: visibility_change
              type: keyword
              description: >
                When visibility changes, this holds the new overall visibility of the file.
            - name: target_domain
              type: keyword
              description: >
                The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.
            - name: added_role
              type: keyword
              description: >
                Added membership role of a user/group in a Team Drive.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
            - name: membership_change_type
              type: keyword
              description: >
                Type of change in Team Drive membership of a user/group.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
            - name: shared_drive_settings_change_type
              type: keyword
              description: >
                Type of change in Team Drive settings.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
            - name: removed_role
              type: keyword
              description: >
                Removed membership role of a user/group in a Team Drive.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
            - name: target
              type: keyword
              description: Target user or group.
        
        - name: groups
          type: group
          fields:
            - name: acl_permission
              type: keyword
              description: >
                Group permission setting updated.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
            - name: email
              type: keyword
              description: >
                Group email.
            - name: member.email
              type: keyword
              description: >
                Member email.
            - name: member.role
              type: keyword
              description: >
                Member role.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
            - name: setting
              type: keyword
              description: >
                Group setting updated.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
            - name: new_value
              type: keyword
              description: >
                New value(s) of the group setting.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
            - name: old_value
              type: keyword
              description:
                Old value(s) of the group setting.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
            - name: value
              type: keyword
              description: >
                Value of the group setting.
                For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
            - name: message.id
              type: keyword
              description: >
                SMTP message Id of an email message.
                Present for moderation events.
            - name: message.moderation_action
              type: keyword
              description: >
                Message moderation action.
                Possible values are `approved` and `rejected`.
            - name: status
              type: keyword
              description: >
                A status describing the output of an operation.
                Possible values are `failed` and `succeeded`.
        
        - name: login
          type: group
          fields:
            - name: affected_email_address
              type: keyword
            - name: challenge_method
              type: keyword
              description: >
                Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.
            - name: failure_type
              type: keyword
              description: >
                Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.
            - name: type
              type: keyword
              description: >
                Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.
            - name: is_second_factor
              type: boolean
            - name: is_suspicious
              type: boolean
        - name: saml
          type: group
          fields:
            - name: application_name
              type: keyword
              description: >
                Saml SP application name.
            - name: failure_type
              type: keyword
              description: >
                Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml.
            - name: initiated_by
              type: keyword
              description: >
                Requester of SAML authentication.
            - name: orgunit_path
              type: keyword
              description: >
                  User orgunit.
            - name: status_code
              type: keyword
              description: >
                SAML status code.
            - name: second_level_status_code
              type: keyword
              description: >
                SAML second level status code.
- key: ibmmq
  title: "ibmmq"
  description: >
    ibmmq Module
  release: ga
  fields:
    - name: ibmmq
      type: group
      description: >
      fields:
        - name: errorlog
          description: IBM MQ error logs
          type: group
          fields:
          - name: installation
            description: >
              This is the installation name which can be given at installation time.
        
              Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation.
        
            type: keyword
          - name: qmgr
            description: >
              Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them.
            type: keyword
          - name: arithinsert
            description: Changing content based on error.id
            type: keyword
          - name: commentinsert
            description: Changing content based on error.id
            type: keyword
          - name: errordescription
            description: Please add description
            example: Please add example
            type: text
          - name: explanation
            description: Explaines the error in more detail
            type: keyword
          - name: action
            description: Defines what to do when the error occurs
            type: keyword
          - name: code
            description: Error code.
            type: keyword
- key: imperva
  title: Imperva SecureSphere
  description: >
    imperva fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: infoblox
  title: Infoblox NIOS
  description: >
    infoblox fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: iptables
  title: iptables
  description: >
    Module for handling the iptables logs.
  fields:
    - name: iptables
      type: group
      description: >
        Fields from the iptables logs.
      fields:
        - name: ether_type
          type: long
          description: >
            Value of the ethernet type field identifying the network layer protocol.
        
        - name: flow_label
          type: integer
          description: >
            IPv6 flow label.
        
        - name: fragment_flags
          type: keyword
          description: >
            IP fragment flags. A combination of CE, DF and MF.
        
        - name: fragment_offset
          type: long
          description: >
            Offset of the current IP fragment.
        
        - name: icmp
          type: group
          description: >
            ICMP fields.
          fields:
        
          - name: code
            type: long
            description: >
              ICMP code.
        
          - name: id
            type: long
            description: >
              ICMP ID.
        
          - name: parameter
            type: long
            description: >
              ICMP parameter.
        
          - name: redirect
            type: ip
            description: >
              ICMP redirect address.
        
          - name: seq
            type: long
            description: >
              ICMP sequence number.
        
          - name: type
            type: long
            description: >
              ICMP type.
        
        - name: id
          type: long
          description: >
            Packet identifier.
        
        - name: incomplete_bytes
          type: long
          description: >
            Number of incomplete bytes.
        
        - name: input_device
          type: keyword
          description: >
            Device that received the packet.
        
        - name: precedence_bits
          type: short
          description: >
            IP precedence bits.
        
        - name: tos
          type: long
          description: >
              IP Type of Service field.
        
        - name: length
          type: long
          description: >
            Packet length.
        
        - name: output_device
          type: keyword
          description: >
            Device that output the packet.
        
        - name: tcp
          type: group
          description: >
            TCP fields.
          fields:
        
          - name: flags
            type: keyword
            description: >
              TCP flags.
        
          - name: reserved_bits
            type: short
            description: >
              TCP reserved bits.
        
          - name: seq
            type: long
            description: >
              TCP sequence number.
        
          - name: ack
            type: long
            description: >
              TCP Acknowledgment number.
        
          - name: window
            type: long
            description: >
              Advertised TCP window size.
        
        - name: ttl
          type: integer
          description: >
            Time To Live field.
        
        - name: udp
          type: group
          description: >
            UDP fields.
          fields:
        
          - name: length
            type: long
            description: >
              Length of the UDP header and payload.
        
        - name: ubiquiti
          type: group
          description: >
            Fields for Ubiquiti network devices.
          fields:
        
            - name: input_zone
              type: keyword
              description: >
                Input zone.
        
            - name: output_zone
              type: keyword
              description: >
                Output zone.
        
            - name: rule_number
              type: keyword
              description:
                The rule number within the rule set.
        
            - name: rule_set
              type: keyword
              description:
                The rule set name.
- key: juniper
  title: Juniper JUNOS
  description: >
    juniper fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: juniper.srx
          type: group
          release: beta
          overwrite: true
          description: >
            Module for parsing junipersrx syslog.
          fields:
            - name: reason
              type: keyword
              description: >
                reason
        
            - name: connection_tag
              type: keyword
              description: >
                connection tag
        
            - name: service_name
              type: keyword
              description: >
                service name
        
            - name: nat_connection_tag
              type: keyword
              description: >
                nat connection tag
        
            - name: src_nat_rule_type
              type: keyword
              description: >
                src nat rule type
        
            - name: src_nat_rule_name
              type: keyword
              description: >
                src nat rule name
        
            - name: dst_nat_rule_type
              type: keyword
              description: >
                dst nat rule type
        
            - name: dst_nat_rule_name
              type: keyword
              description: >
                dst nat rule name
        
            - name: protocol_id
              type: keyword
              description: >
                protocol id
        
            - name: policy_name
              type: keyword
              description: >
                policy name
        
            - name: session_id_32
              type: keyword
              description: >
                session id 32
        
            - name: session_id
              type: keyword
              description: >
                session id
        
            - name: outbound_packets
              type: integer
              description: >
                packets from client
        
            - name: outbound_bytes
              type: integer
              description: >
                bytes from client
        
            - name: inbound_packets
              type: integer
              description: >
                packets from server
        
            - name: inbound_bytes
              type: integer
              description: >
                bytes from server
        
            - name: elapsed_time
              type: date
              description: >
                elapsed time
        
            - name: application
              type: keyword
              description: >
                application
        
            - name: nested_application
              type: keyword
              description: >
                nested application
        
            - name: username
              type: keyword
              description: >
                username
        
            - name: roles
              type: keyword
              description: >
                roles
        
            - name: encrypted
              type: keyword
              description: >
                encrypted
        
            - name: application_category
              type: keyword
              description: >
                application category
        
            - name: application_sub_category
              type: keyword
              description: >
                application sub category
        
            - name: application_characteristics
              type: keyword
              description: >
                application characteristics
        
            - name: secure_web_proxy_session_type
              type: keyword
              description: >
                secure web proxy session type
        
            - name: peer_session_id
              type: keyword
              description: >
                peer session id
        
            - name: peer_source_address
              type: ip
              description: >
                peer source address
        
            - name: peer_source_port
              type: integer
              description: >
                peer source port
        
            - name: peer_destination_address
              type: ip
              description: >
                peer destination address
        
            - name: peer_destination_port
              type: integer
              description: >
                peer destination port
        
            - name: hostname
              type: keyword
              description: >
                hostname
        
            - name: src_vrf_grp
              type: keyword
              description: >
                src_vrf_grp
        
            - name: dst_vrf_grp
              type: keyword
              description: >
                dst_vrf_grp
        
            - name: icmp_type
              type: integer
              description: >
                icmp type
        
            - name: process
              type: keyword
              description: >
                process that generated the message
        
            - name: apbr_rule_type
              type: keyword
              description: >
                apbr rule type
        
            - name: dscp_value
              type: integer
              description: >
                apbr rule type
        
            - name: logical_system_name
              type: keyword
              description: >
                logical system name
        
            - name: profile_name
              type: keyword
              description: >
                profile name
        
            - name: routing_instance
              type: keyword
              description: >
                routing instance
        
            - name: rule_name
              type: keyword
              description: >
                rule name
        
            - name: uplink_tx_bytes
              type: integer
              description: >
                uplink tx bytes
        
            - name: uplink_rx_bytes
              type: integer
              description: >
                uplink rx bytes
        
            - name: obj
              type: keyword
              description: >
                url path
        
            - name: url
              type: keyword
              description: >
                url domain
        
            - name: profile
              type: keyword
              description: >
                filter profile
        
            - name: category
              type: keyword
              description: >
                filter category
        
            - name: filename
              type: keyword
              description: >
                filename
        
            - name: temporary_filename
              type: keyword
              description: >
                temporary_filename
        
            - name: name
              type: keyword
              description: >
                name
        
            - name: error_message
              type: keyword
              description: >
                error_message
        
            - name: error_code
              type: keyword
              description: >
                error_code
        
            - name: action
              type: keyword
              description: >
                action
        
            - name: protocol
              type: keyword
              description: >
                protocol
        
            - name: protocol_name
              type: keyword
              description: >
                protocol name
        
            - name: type
              type: keyword
              description: >
                type
        
            - name: repeat_count
              type: integer
              description: >
                repeat count
        
            - name: alert
              type: keyword
              description: >
                repeat alert
        
            - name: message_type
              type: keyword
              description: >
                message type
        
            - name: threat_severity
              type: keyword
              description: >
                threat severity
        
            - name: application_name
              type: keyword
              description: >
                application name
        
            - name: attack_name
              type: keyword
              description: >
                attack name
        
            - name: index
              type: keyword
              description: >
                index
        
            - name: message
              type: keyword
              description: >
                mesagge
        
            - name: epoch_time
              type: date
              description: >
                epoch time
        
            - name: packet_log_id
              type: integer
              description: >
                packet log id
        
            - name: export_id
              type: integer
              description: >
                packet log id
        
            - name: ddos_application_name
              type: keyword
              description: >
                ddos application name
        
            - name: connection_hit_rate
              type: integer
              description: >
                connection hit rate
        
            - name: time_scope
              type: keyword
              description: >
                time scope
        
            - name: context_hit_rate
              type: integer
              description: >
                context hit rate
        
            - name: context_value_hit_rate
              type: integer
              description: >
                context value hit rate
        
            - name: time_count
              type: integer
              description: >
                time count
        
            - name: time_period
              type: integer
              description: >
                time period
        
            - name: context_value
              type: keyword
              description: >
                context value
        
            - name: context_name
              type: keyword
              description: >
                context name
        
            - name: ruleebase_name
              type: keyword
              description: >
                ruleebase name
        
            - name: verdict_source
              type: keyword
              description: >
                verdict source
        
            - name: verdict_number
              type: integer
              description: >
                verdict number
        
            - name: file_category
              type: keyword
              description: >
                file category
        
            - name: sample_sha256
              type: keyword
              description: >
                sample sha256
        
            - name: malware_info
              type: keyword
              description: >
                malware info
        
            - name: client_ip
              type: ip
              description: >
                client ip
        
            - name: tenant_id
              type: keyword
              description: >
                tenant id
        
            - name: timestamp
              type: date
              description: >
                timestamp
        
            - name: th
              type: keyword
              description: >
                th
        
            - name: status
              type: keyword
              description: >
                status
        
            - name: state
              type: keyword
              description: >
                state
        
            - name: file_hash_lookup
              type: keyword
              description: >
               file hash lookup
        
            - name: file_name
              type: keyword
              description: >
               file name
        
            - name: action_detail
              type: keyword
              description: >
               action detail
        
            - name: sub_category
              type: keyword
              description: >
               sub category
        
            - name: feed_name
              type: keyword
              description: >
               feed name
        
            - name: occur_count
              type: integer
              description: >
               occur count
        
            - name: tag
              type: keyword
              description: >
                system log message tag, which uniquely identifies the message.
        
- key: microsoft
  title: Microsoft
  description: >
    Microsoft Module
  fields:
        - name: microsoft.defender_atp
          type: group
          release: ga
          description: >
            Module for ingesting Microsoft Defender ATP.
          fields:
            - name: lastUpdateTime
              type: date
              description: >
                The date and time (in UTC) the alert was last updated.
        
            - name: resolvedTime
              type: date
              description: >
                The date and time in which the status of the alert was changed to 'Resolved'.
        
            - name: incidentId
              type: keyword
              description: >
                The Incident ID of the Alert.
        
            - name: investigationId
              type: keyword
              description: >
                The Investigation ID related to the Alert.
        
            - name: investigationState
              type: keyword
              description: >
                The current state of the Investigation.
        
            - name: assignedTo
              type: keyword
              description: >
                Owner of the alert.
        
            - name: status
              type: keyword
              description: >
                Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
        
            - name: classification
              type: keyword
              description: >
                Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
        
            - name: determination
              type: keyword
              description: >
                Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
        
            - name: threatFamilyName
              type: keyword
              description: >
                Threat family.
        
            - name: rbacGroupName
              type: keyword
              description: >
                User group related to the alert
        
            - name: evidence.domainName
              type: keyword
              description: >
                Domain name related to the alert
        
            - name: evidence.ipAddress
              type: ip
              description: >
                IP address involved in the alert
        
            - name: evidence.aadUserId
              type: keyword
              description: >
                ID of the user involved in the alert
        
            - name: evidence.accountName
              type: keyword
              description: >
                Username of the user involved in the alert
        
            - name: evidence.entityType
              type: keyword
              description: >
                The type of evidence
        
            - name: evidence.userPrincipalName
              type: keyword
              description: >
                Principal name of the user involved in the alert
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: microsoft.m365_defender
          type: group
          release: beta
          description: >
            Module for ingesting Microsoft Defender ATP.
          fields:
            - name: incidentId
              type: keyword
              description: >
                Unique identifier to represent the incident.
            - name: redirectIncidentId
              type: keyword
              description: >
                Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic.
            - name: incidentName
              type: keyword
              description: >
                Name of the Incident.
            - name: determination
              type: keyword
              description: >
                Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other.
            - name: investigationState
              type: keyword
              description: >
                The current state of the Investigation.
            - name: assignedTo
              type: keyword
              description: >
                Owner of the alert.
            - name: tags
              type: keyword
              description: >
                Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.
            - name: status
              type: keyword
              description: >
                Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
            - name: classification
              type: keyword
              description: >
                Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
            - name: alerts.incidentId
              type: keyword
              description: >
                Unique identifier to represent the incident this alert is associated with.
            - name: alerts.resolvedTime
              type: date
              description: >
                Time when alert was resolved.
            - name: alerts.status
              type: keyword
              description: >
                Categorize alerts (as New, Active, or Resolved).
            - name: alerts.severity
              type: keyword
              description: >
                The severity of the related alert.
            - name: alerts.creationTime
              type: date
              description: >
                Time when alert was first created.
            - name: alerts.lastUpdatedTime
              type: date
              description: >
                Time when alert was last updated.
            - name: alerts.investigationId
              type: keyword
              description: >
                The automated investigation id triggered by this alert.
            - name: alerts.userSid
              type: keyword
              description: >
                The SID of the related user
            - name: alerts.detectionSource
              type: keyword
              description: >
                The service that initially detected the threat.
            - name: alerts.classification
              type: keyword
              description: >
                The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null.
            - name: alerts.investigationState
              type: keyword
              description: >
                Information on the investigation's current status.
            - name: alerts.determination
              type: keyword
              description: >
                Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null
            - name: alerts.assignedTo
              type: keyword
              description: >
                Owner of the incident, or null if no owner is assigned.
            - name: alerts.actorName
              type: keyword
              description: >
                The activity group, if any, the associated with this alert.
            - name: alerts.threatFamilyName
              type: keyword
              description: >
                Threat family associated with this alert.
            - name: alerts.mitreTechniques
              type: keyword
              description: >
                The attack techniques, as aligned with the MITRE ATT&CK™ framework.
            - name: alerts.entities.entityType
              type: keyword
              description: >
                Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry.
            - name: alerts.entities.accountName
              type: keyword
              description: >
                Account name of the related user.
            - name: alerts.entities.mailboxDisplayName
              type: keyword
              description: >
                The display name of the related mailbox.
            - name: alerts.entities.mailboxAddress
              type: keyword
              description: >
                The mail address of the related mailbox.
            - name: alerts.entities.clusterBy
              type: keyword
              description: >
                A list of metadata if the entityType is MailCluster.
            - name: alerts.entities.sender
              type: keyword
              description: >
                The sender for the related email message.
            - name: alerts.entities.recipient
              type: keyword
              description: >
                The recipient for the related email message.
            - name: alerts.entities.subject
              type: keyword
              description: >
                The subject for the related email message.
            - name: alerts.entities.deliveryAction
              type: keyword
              description: >
                The delivery status for the related email message.
            - name: alerts.entities.securityGroupId
              type: keyword
              description: >
                The Security Group ID for the user related to the email message.
            - name: alerts.entities.securityGroupName
              type: keyword
              description: >
                The Security Group Name for the user related to the email message.
            - name: alerts.entities.registryHive
              type: keyword
              description: >
                Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE.
            - name: alerts.entities.registryKey
              type: keyword
              description: >
                Reference to the related registry key to the event.
            - name: alerts.entities.registryValueType
              type: keyword
              description: >
                Value type of the registry key/value pair related to the event.
            - name: alerts.entities.deviceId
              type: keyword
              description: >
                The unique ID of the device related to the event.
            - name: alerts.entities.ipAddress
              type: keyword
              description: >
                The related IP address to the event.
            - name: alerts.devices
              type: flattened
              description: >
                  The devices related to the investigation.
        
- key: misp
  title: MISP
  description: >
    Module for handling threat information from MISP.
  fields:
    - name: misp
      type: group
      description: >
        Fields from MISP threat information.
      fields:
        - name: attack_pattern
          title: Attack Pattern
          short: Fields that let you store attack patterns
          description: >
            Fields provide support for specifying information about attack patterns.
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the threat indicator.
        
          - name: name
            level: core
            type: keyword
            description: >
              Name of the attack pattern.
        
          - name: description
            level: extended
            type: text
            description: >
              Description of the attack pattern.
        
          - name: kill_chain_phases
            level: extended
            type: keyword
            description: >
              The kill chain phase(s) to which this attack pattern corresponds.
        
        - name: campaign
          title: Campaign
          short: Fields that let you store campaign information
          description: >
            Fields provide support for specifying information about campaigns.
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the campaign.
        
          - name: name
            level: core
            type: keyword
            description: >
              Name of the campaign.
        
          - name: description
            level: extended
            type: text
            description: >
              Description of the campaign.
        
          - name: aliases
            level: extended
            type: text
            description: >
              Alternative names used to identify this campaign.
        
          - name: first_seen
            level: core
            type: date
            description: >
              The time that this Campaign was first seen, in RFC3339 format.
        
          - name: last_seen
            level: core
            type: date
            description: >
              The time that this Campaign was last seen, in RFC3339 format.
        
          - name: objective
            level: core
            type: keyword
            description: >
              This field defines the Campaign's primary goal, objective, desired outcome, or intended effect.
        
        - name: course_of_action
          title: Course of Action
          short: Fields that let you store information about course of action.
          description: >
            A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Course of Action.
        
          - name: name
            level: core
            type: keyword
            description: >
              The name used to identify the Course of Action.
        
          - name: description
            level: extended
            type: text
            description: >
              Description of the Course of Action.
        
        - name: identity
          title: Identity
          short: Fields that let you store information about identity.
          description: >
            Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups.
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Identity.
        
          - name: name
            level: core
            type: keyword
            description: >
              The name used to identify the Identity.
        
          - name: description
            level: extended
            type: text
            description: >
              Description of the Identity.
        
          - name: identity_class
            level: core
            type: keyword
            description: >
              The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov 
        
          - name: labels
            level: extended
            type: keyword
            description: >
              The list of roles that this Identity performs.  
            example: >
              CEO
        
          - name: sectors
            level: extended
            type: keyword
            description: >
              The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov 
        
          - name: contact_information
            level: extended
            type: text
            description: >
              The contact information (e-mail, phone number, etc.) for this Identity.
        
        - name: intrusion_set
          title: Intrusion Set
          short: Fields that let you store information about Intrusion Set.
          description: >
            An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Intrusion Set.
        
          - name: name
            level: core
            type: keyword
            description: >
              The name used to identify the Intrusion Set.
        
          - name: description
            level: extended
            type: text
            description: >
              Description of the Intrusion Set.
        
          - name: aliases
            level: extended
            type: text
            description: >
              Alternative names used to identify the Intrusion Set.
        
          - name: first_seen
            level: extended
            type: date
            description: >
              The time that this Intrusion Set was first seen, in RFC3339 format.
        
          - name: last_seen
            level: extended
            type: date
            description: >
              The time that this Intrusion Set was last seen, in RFC3339 format.
        
          - name: goals
            level: extended
            type: text
            description: >
              The high level goals of this Intrusion Set, namely, what are they trying to do.
        
          - name: resource_level
            level: extended
            type: text
            description: >
              This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov
        
          - name: primary_motivation
            level: extended
            type: text
            description: >
              The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov
        
          - name: secondary_motivations
            level: extended
            type: text
            description: >
              The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov
        
        - name: malware
          title: Malware
          short: Fields that let you store information about Malware.
          description: >
            Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Malware.
        
          - name: name
            level: core
            type: keyword
            description: >
              The name used to identify the Malware.
        
          - name: description
            level: extended
            type: text
            description: >
              Description of the Malware.
        
          - name: labels
            level: core
            type: keyword
            description: >
              The type of malware being described. 
              Open Vocab - malware-label-ov. 
              adware,backdoor,bot,ddos,dropper,exploit-kit,keylogger,ransomware, remote-access-trojan,resource-exploitation,rogue-security-software,rootkit, screen-capture,spyware,trojan,virus,worm
        
          - name: kill_chain_phases
            format: string
            level: extended
            type: keyword
            description: >
              The list of kill chain phases for which this Malware instance can be used.
        
        - name: note
          title: Note
          short: Fields that let you store information about Malware.
          description: >
            A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.
        
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Note.
        
          - name: summary
            level: extended
            type: keyword
            description: >
              A brief description used as a summary of the Note.
        
          - name: description
            level: extended
            type: text
            description: >
              The content of the Note.
        
          - name: authors
            level: extended
            type: keyword
            description: >
              The name of the author(s) of this Note.
        
          - name: object_refs
            level: extended
            type: keyword
            description: >
              The STIX Objects (SDOs and SROs) that the note is being applied to.
        
        - name: threat_indicator
          title: Threat Indicator
          short: Fields that let you store Threat Indicators
          description: >
            Fields provide support for specifying information about threat indicators, and related matching patterns.
          type: group
          fields:
        
          - name: labels
            level: core
            type: keyword
            description: >
              list of type open-vocab that specifies the type of indicator.  
            example: >
              Domain Watchlist
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the threat indicator.
        
          - name: version
            level: core
            type: keyword
            description: >
              Version of the threat indicator.
        
          - name: type
            level: core
            type: keyword
            description: >
              Type of the threat indicator.
        
          - name: description
            level: core
            type: text
            description: >
              Description of the threat indicator.
        
          - name: feed
            level: core
            type: text
            description: >
              Name of the threat feed.
        
          - name: valid_from
            level: core
            type: date
            description: >
              The time from which this Indicator should be considered valuable 
              intelligence, in RFC3339 format.
        
          - name: valid_until
            level: core
            type: date
            description: >
              The time at which this Indicator should no longer be considered valuable intelligence. If the valid_until property is omitted, then there is no constraint on the latest time for which the indicator should be used, in RFC3339 format.
        
          - name: severity
            format: string
            level: core
            type: keyword
            description: >
              Threat severity to which this indicator corresponds.
            example: high
        
          - name: confidence
            level: core
            type: keyword
            description: >
              Confidence level to which this indicator corresponds.
            example: high
        
          - name: kill_chain_phases
            format: string
            level: extended
            type: keyword
            description: >
              The kill chain phase(s) to which this indicator corresponds.
        
          - name: mitre_tactic
            format: string
            level: extended
            type: keyword
            description: >
              MITRE tactics to which this indicator corresponds.
            example: Initial Access
        
          - name: mitre_technique
            format: string
            level: extended
            type: keyword
            description: >
              MITRE techniques to which this indicator corresponds.
            example: Drive-by Compromise
        
          - name: attack_pattern
            level: core
            type: keyword
            description: >
              The attack_pattern for this indicator is a STIX Pattern as specified in STIX Version 2.0 Part 5 - STIX Patterning. 
            example: >
              [destination:ip = '91.219.29.188/32']
        
          - name: attack_pattern_kql
            level: core
            type: keyword
            description: >
              The attack_pattern for this indicator is KQL query that matches the attack_pattern specified in the STIX Pattern format. 
            example: >
              destination.ip: "91.219.29.188/32"
        
          - name: negate
            level: core
            type: boolean
            description: >
              When set to true, it specifies the absence of the attack_pattern.
          
          - name: intrusion_set
            level: extended
            type: keyword
            description: >
              Name of the intrusion set if known.
        
          - name: campaign
            level: extended
            type: keyword
            description: >
              Name of the attack campaign if known.
        
          - name: threat_actor
            level: extended
            type: keyword
            description: >
              Name of the threat actor if known.
        
        - name: observed_data
          title: Observed Data
          short: Fields that let you store information about Observed Data.
          description: >
            Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.
        
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Observed Data.
        
          - name: first_observed
            level: core
            type: date
            description: >
              The beginning of the time window that the data was observed, in RFC3339 format.
        
          - name: last_observed
            level: core
            type: date
            description: >
              The end of the time window that the data was observed, in RFC3339 format.
        
          - name: number_observed
            level: core
            type: integer
            description: >
              The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive.
        
          - name: objects
            level: core
            type: keyword
            description: >
              A dictionary of Cyber Observable Objects that describes the single fact that was observed.
        
        - name: report
          title: Report
          short: Fields that let you store information about Report.
          description: >
            Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
        
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Report.
        
          - name: labels
            level: core
            type: keyword
            description: >
              This field is an Open Vocabulary that specifies the primary subject of this report. 
              Open Vocab - report-label-ov.
              threat-report,attack-pattern,campaign,identity,indicator,malware,observed-data,threat-actor,tool,vulnerability
        
          - name: name
            level: core
            type: keyword
            description: >
              The name used to identify the Report.
        
          - name: description
            level: extended
            type: text
            description: >
              A description that provides more details and context about Report.
        
          - name: published
            level: extended
            type: date
            description: >
              The date that this report object was officially published by the creator of this report, in RFC3339 format.
        
          - name: object_refs
            level: core
            type: text
            description: >
              Specifies the STIX Objects that are referred to by this Report.
        
        - name: threat_actor
          title: Threat Actor
          short: Fields that let you store information about Threat Actor.
          description: >
            Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.
        
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Threat Actor.
        
          - name: labels
            level: core
            type: keyword
            description: >
              This field specifies the type of threat actor. 
              Open Vocab - threat-actor-label-ov.
              activist,competitor,crime-syndicate,criminal,hacker,insider-accidental,insider-disgruntled,nation-state,sensationalist,spy,terrorist
        
          - name: name
            level: core
            type: keyword
            description: >
              The name used to identify this Threat Actor or Threat Actor group.
        
          - name: description
            level: extended
            type: text
            description: >
              A description that provides more details and context about the Threat Actor.
        
          - name: aliases
            level: extended
            type: text
            description: >
              A list of other names that this Threat Actor is believed to use.
        
          - name: roles
            level: extended
            type: text
            description: >
              This is a list of roles the Threat Actor plays. 
              Open Vocab - threat-actor-role-ov.
              agent,director,independent,sponsor,infrastructure-operator,infrastructure-architect,malware-author
        
          - name: goals
            level: extended
            type: text
            description: >
              The high level goals of this Threat Actor, namely, what are they trying to do.
        
          - name: sophistication
            level: extended
            type: text
            description: >
              The skill, specific knowledge, special training, or expertise a Threat Actor 
              must have to perform the attack. 
              Open Vocab - threat-actor-sophistication-ov.
              none,minimal,intermediate,advanced,strategic,expert,innovator
        
          - name: resource_level
            level: extended
            type: text
            description: >
              This defines the organizational level at which this Threat Actor typically works. 
              Open Vocab - attack-resource-level-ov.
              individual,club,contest,team,organization,government
        
          - name: primary_motivation
            level: extended
            type: text
            description: >
              The primary reason, motivation, or purpose behind this Threat Actor. 
              Open Vocab - attack-motivation-ov.
              accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable
        
          - name: secondary_motivations
            level: extended
            type: text
            description: >
              The secondary reasons, motivations, or purposes behind this Threat Actor. 
              Open Vocab - attack-motivation-ov.
              accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable
        
          - name: personal_motivations
            level: extended
            type: text
            description: >
              The personal reasons, motivations, or purposes of the Threat Actor regardless of 
              organizational goals.
              Open Vocab - attack-motivation-ov.
              accidental,coercion,dominance,ideology,notoriety,organizational-gain,personal-gain,personal-satisfaction,revenge,unpredictable
        
        - name: tool
          title: Tool
          short: Fields that let you store information about Tool.
          description: >
            Tools are legitimate software that can be used by threat actors to perform attacks.
        
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Tool.
        
          - name: labels
            level: core
            type: keyword
            description: >
              The kind(s) of tool(s) being described. 
              Open Vocab - tool-label-ov.
              denial-of-service,exploitation,information-gathering,network-capture,credential-exploitation,remote-access,vulnerability-scanning
        
          - name: name
            level: core
            type: keyword
            description: >
              The name used to identify the Tool.
        
          - name: description
            level: extended
            type: text
            description: >
              A description that provides more details and context about the Tool.
        
          - name: tool_version
            level: extended
            type: keyword
            description: >
              The version identifier associated with the Tool.
        
          - name: kill_chain_phases
            level: extended
            type: text
            description: >
              The list of kill chain phases for which this Tool instance can be used.
        
        - name: vulnerability
          title: Vulnerability
          short: Fields that let you store information about Vulnerability.
          description: >
            A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
        
          type: group
          fields:
        
          - name: id
            level: core
            type: keyword
            description: >
              Identifier of the Vulnerability.
        
          - name: name
            level: core
            type: keyword
            description: >
              The name used to identify the Vulnerability.
        
          - name: description
            level: extended
            type: text
            description: >
              A description that provides more details and context about the Vulnerability.
        
        
          
        
        
        
        
        
        
- key: mssql
  title: "mssql"
  description: MS SQL Filebeat Module
  fields:
    - name: mssql
      type: group
      description: Fields from the MSSQL log files
      fields:
        - name: log
          description: Common log fields
          type: group
          fields:
            - name: origin
              description: Origin of the message, usually the server but it can also be a recovery process
              type: keyword
- key: mysqlenterprise
  title: MySQL Enterprise
  description: >
    MySQL Enterprise Audit module
  fields:
    - name: mysqlenterprise
      type: group
      description: >
        Fields from MySQL Enterprise Logs
      fields:
        - name: audit
          type: group
          release: beta
          description: >
            Module for parsing MySQL Enterprise Audit Logs
          fields:
            - name: class
              type: keyword
              description: >
                A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass.
        
            - name: connection_id
              type: keyword
              description: >
                An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session.
        
            - name: id
              type: keyword
              description: >
                An unsigned integer representing an event ID.
        
            - name: connection_data.connection_type
              type: keyword
              description: >
                The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection).
        
            - name: connection_data.status
              type: long
              description: >
                An integer representing the command status: 0 for success, nonzero if an error occurred.
        
            - name: connection_data.db
              type: keyword
              description: >
                A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
        
            - name: connection_data.connection_attributes
              type: flattened
              description: >
                Connection attributes that might be passed by different MySQL Clients.
        
            - name: general_data.command
              type: keyword
              description: >
                A string representing the type of instruction that generated the audit event, such as a command that the server received from a client.
        
            - name: general_data.sql_command
              type: keyword
              description: >
                A string that indicates the SQL statement type.
        
            - name: general_data.query
              type: keyword
              description: >
                A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
        
            - name: general_data.status
              type: long
              description: >
                An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function.
        
            - name: login.user
              type: keyword
              description: >
                A string representing the information indicating how a client connected to the server.
        
            - name: login.proxy
              type: keyword
              description: >
                A string representing the proxy user. The value is empty if user proxying is not in effect.
        
            - name: shutdown_data.server_id
              type: keyword
              description: >
                An integer representing the server ID. This is the same as the value of the server_id system variable.
        
            - name: startup_data.server_id
              type: keyword
              description: >
                An integer representing the server ID. This is the same as the value of the server_id system variable.
        
            - name: startup_data.mysql_version
              type: keyword
              description: >
                An integer representing the server ID. This is the same as the value of the server_id system variable.
        
            - name: table_access_data.db
              type: keyword
              description: >
                A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
        
            - name: table_access_data.table
              type: keyword
              description: >
                A string representing a table name.
        
            - name: table_access_data.query
              type: keyword
              description: >
                A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
        
            - name: table_access_data.sql_command
              type: keyword
              description: >
                A string that indicates the SQL statement type.
        
            - name: account.user
              type: keyword
              description: >
                A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking.
        
            - name: account.host
              type: keyword
              description: >
                A string representing the client host name.
        
            - name: login.os
              type: keyword
              description: >
                A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client.
- key: netflow-module
  title: NetFlow
  description: >
    Module for receiving NetFlow and IPFIX flow records over UDP. The module
    does not add fields beyond what the netflow input provides.
  skipdocs:
  fields:
- key: netscout
  title: Arbor Peakflow SP
  description: >
    netscout fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: o365
  title: Office 365
  description: >
    Module for handling logs from Office 365.
  fields:
          - name: o365.audit
            type: group
            description: >
              Fields from Office 365 Management API audit logs.
            fields:
            - name: AADGroupId
              type: keyword
        
            - name: Actor
              type: array
              fields:
              - name: ID
                type: keyword
        
              - name: Type
                type: keyword
        
            - name: ActorContextId
              type: keyword
        
            - name: ActorIpAddress
              type: keyword
        
            - name: ActorUserId
              type: keyword
        
            - name: ActorYammerUserId
              type: keyword
        
            - name: AlertEntityId
              type: keyword
        
            - name: AlertId
              type: keyword
        
            - name: AlertLinks
              type: array
        
            - name: AlertType
              type: keyword
        
            - name: AppId
              type: keyword
        
            - name: ApplicationDisplayName
              type: keyword
        
            - name: ApplicationId
              type: keyword
        
            - name: AzureActiveDirectoryEventType
              type: keyword
        
            - name: ExchangeMetaData.*
              type: object
        
            - name: Category
              type: keyword
        
            - name: ClientAppId
              type: keyword
        
            - name: ClientInfoString
              type: keyword
        
            - name: ClientIP
              type: keyword
        
            - name: ClientIPAddress
              type: keyword
        
            - name: Comments
              type: text
              norms: false
        
            - name: CommunicationType
              type: keyword
        
            - name: CorrelationId
              type: keyword
        
            - name: CreationTime
              type: keyword
        
            - name: CustomUniqueId
              type: keyword
        
            - name: Data
              type: keyword
        
            - name: DataType
              type: keyword
        
            - name: DoNotDistributeEvent
              type: boolean
        
            - name: EntityType
              type: keyword
        
            - name: ErrorNumber
              type: keyword
        
            - name: EventData
              type: keyword
        
            - name: EventSource
              type: keyword
        
            - name: ExceptionInfo.*
              type: object
        
            - name: ExtendedProperties.*
              type: object
        
            - name: ExternalAccess
              type: keyword
        
            - name: FromApp
              type: boolean
        
            - name: GroupName
              type: keyword
        
            - name: Id
              type: keyword
        
            - name: ImplicitShare
              type: keyword
        
            - name: IncidentId
              type: keyword
        
            - name: InternalLogonType
              type: keyword
        
            - name: InterSystemsId
              type: keyword
        
            - name: IntraSystemId
              type: keyword
        
            - name: IsDocLib
              type: boolean
        
            - name: Item.*
              type: object
        
            - name: Item.*.*
              type: object
        
            - name: ItemCount
              type: long
        
            - name: ItemName
              type: keyword
        
            - name: ItemType
              type: keyword
        
            - name: ListBaseTemplateType
              type: keyword
        
            - name: ListBaseType
              type: keyword
        
            - name: ListColor
              type: keyword
        
            - name: ListIcon
              type: keyword
        
            - name: ListId
              type: keyword
        
            - name: ListTitle
              type: keyword
        
            - name: ListItemUniqueId
              type: keyword
        
            - name: LogonError
              type: keyword
        
            - name: LogonType
              type: keyword
        
            - name: LogonUserSid
              type: keyword
        
            - name: MailboxGuid
              type: keyword
        
            - name: MailboxOwnerMasterAccountSid
              type: keyword
        
            - name: MailboxOwnerSid
              type: keyword
        
            - name: MailboxOwnerUPN
              type: keyword
        
            - name: Members
              type: array
        
            - name: Members.*
              type: object
        
            - name: ModifiedProperties.*.*
              type: object
        
            - name: Name
              type: keyword
        
            - name: ObjectId
              type: keyword
        
            - name: Operation
              type: keyword
        
            - name: OrganizationId
              type: keyword
        
            - name: OrganizationName
              type: keyword
        
            - name: OriginatingServer
              type: keyword
        
            - name: Parameters.*
              type: object
        
            - name: PolicyDetails
              type: array
        
            - name: PolicyId
              type: keyword
        
            - name: RecordType
              type: keyword
        
            - name: ResultStatus
              type: keyword
        
            - name: SensitiveInfoDetectionIsIncluded
              type: keyword
        
            - name: SharePointMetaData.*
              type: object
        
            - name: SessionId
              type: keyword
        
            - name: Severity
              type: keyword
        
            - name: Site
              type: keyword
        
            - name: SiteUrl
              type: keyword
        
            - name: Source
              type: keyword
        
            - name: SourceFileExtension
              type: keyword
        
            - name: SourceFileName
              type: keyword
        
            - name: SourceRelativeUrl
              type: keyword
        
            - name: Status
              type: keyword
        
            - name: SupportTicketId
              type: keyword
        
            - name: Target
              type: array
              fields:
              - name: ID
                type: keyword
        
              - name: Type
                type: keyword
        
            - name: TargetContextId
              type: keyword
        
            - name: TargetUserOrGroupName
              type: keyword
        
            - name: TargetUserOrGroupType
              type: keyword
        
            - name: TeamName
              type: keyword
        
            - name: TeamGuid
              type: keyword
        
            - name: TemplateTypeId
              type: keyword
        
            - name: UniqueSharingId
              type: keyword
        
            - name: UserAgent
              type: keyword
        
            - name: UserId
              type: keyword
        
            - name: UserKey
              type: keyword
        
            - name: UserType
              type: keyword
        
            - name: Version
              type: keyword
        
            - name: WebId
              type: keyword
        
            - name: Workload
              type: keyword
        
            - name: YammerNetworkId
              type: keyword
- key: okta
  title: Okta
  description: >
    Module for handling system logs from Okta.
  fields:
    - name: okta
      type: group
      description: >
        Fields from Okta.
      fields:
        - name: uuid
          title: UUID
          short: The unique identifier of the Okta LogEvent.
          description: >
            The unique identifier of the Okta LogEvent.
          type: keyword
        
        - name: event_type
          title: Event Type
          short: The type of the LogEvent.
          description: >
            The type of the LogEvent.
          type: keyword
        
        - name: version
          title: Version
          short: The version of the LogEvent.
          description: >
            The version of the LogEvent.
          type: keyword
        
        - name: severity
          title: Severity
          short: The severity of the LogEvent.
          description: >
            The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.
          type: keyword
        
        - name: display_message
          title: Display Message
          short: The display message of the LogEvent.
          description: >
            The display message of the LogEvent.
          type: keyword
        
        - name: actor
          title: Actor
          short: Fields of the actor for the LogEvent.
          description: >
            Fields that let you store information of the actor for the LogEvent.
          type: group
          fields:
        
          - name: id
            type: keyword
            description: >
              Identifier of the actor.
        
          - name: type
            type: keyword
            description: >
              Type of the actor.
        
          - name: alternate_id
            type: keyword
            description: >
              Alternate identifier of the actor.
        
          - name: display_name
            type: keyword
            description: >
              Display name of the actor.
        
        - name: client
          title: Client
          short: Fields about the client of the actor.
          description: >
            Fields that let you store information about the client of the actor.
          type: group
          fields:
        
          - name: ip
            type: ip
            description: >
              The IP address of the client.
        
          - name: user_agent
            description: >
              Fields about the user agent information of the client.
            type: group
            fields:
        
            - name: raw_user_agent
              type: keyword
              description: >
                The raw informaton of the user agent.
        
            - name: os
              type: keyword
              description: >
                The OS informaton.
        
            - name: browser
              type: keyword
              description: >
                The browser informaton of the client.
        
          - name: zone
            type: keyword
            description: >
              The zone information of the client.
        
          - name: device
            type: keyword
            description: >
              The information of the client device.
        
          - name: id
            type: keyword
            description: >
              The identifier of the client.
        
        - name: outcome
          title: Outcome of the LogEvent.
          short: Fields that let you store information about the outcome.
          description: >
            Fields that let you store information about the outcome.
          type: group
          fields:
        
          - name: reason
            type: keyword
            description: >
              The reason of the outcome.
        
          - name: result
            type: keyword
            description: >
              The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
        
        - name: target
          title: Target
          short: The list of targets.
          description: >
            The list of targets.
          type: flattened
          fields:
        
          - name: id
            type: keyword
            description: >
              Identifier of the actor.
        
          - name: type
            type: keyword
            description: >
              Type of the actor.
        
          - name: alternate_id
            type: keyword
            description: >
              Alternate identifier of the actor.
        
          - name: display_name
            type: keyword
            description: >
              Display name of the actor.
        
        - name: transaction
          title: Transaction
          short: Fields that let you store information about related transaction.
          description: >
            Fields that let you store information about related transaction.
          type: group
          fields:
        
          - name: id
            type: keyword
            description: >
              Identifier of the transaction.
        
          - name: type
            type: keyword
            description: >
              The type of transaction. Must be one of "WEB", "JOB".
        
        - name: debug_context
          title: Debug Context
          short: Fields that let you store information about the debug context.
          description: >
            Fields that let you store information about the debug context.
          type: group
          fields:
        
          - name: debug_data
            description: >
              The debug data.
            type: group
            fields:
        
            - name: device_fingerprint
              type: keyword
              description: >
                The fingerprint of the device.
        
            - name: request_id
              type: keyword
              description: >
                The identifier of the request.
        
            - name: request_uri
              type: keyword
              description: >
                The request URI.
        
            - name: threat_suspected
              type: keyword
              description: >
                Threat suspected.
        
            - name: risk_level
              type: keyword
              description: >
                The risk level assigned to the sign in attempt.
        
            - name: url
              type: keyword
              description: >
                The URL.
        
            - name: flattened
              type: flattened
              description: >
                The complete debug_data object.
        
            - name: suspicious_activity
              description: >
                The suspicious activity fields from the debug data.
              type: group
              fields:
        
                - name: browser
                  type: keyword
                  description: >
                    The browser used.
        
                - name: event_city
                  type: keyword
                  description: >
                    The city where the suspicious activity took place.
        
                - name: event_country
                  type: keyword
                  description: >
                    The country where the suspicious activity took place.
        
                - name: event_id
                  type: keyword
                  description: >
                    The event ID.
        
                - name: event_ip
                  type: ip
                  description: >
                    The IP of the suspicious event.
        
                - name: event_latitude
                  type: float
                  description: >
                    The latitude where the suspicious activity took place.
        
                - name: event_longitude
                  type: float
                  description: >
                    The longitude where the suspicious activity took place.
        
                - name: event_state
                  type: keyword
                  description: >
                    The state where the suspicious activity took place.
        
                - name: event_transaction_id
                  type: keyword
                  description: >
                    The event transaction ID.
        
                - name: event_type
                  type: keyword
                  description: >
                    The event type.
        
                - name: os
                  type: keyword
                  description: >
                    The OS of the system from where the suspicious activity occured.
        
                - name: timestamp
                  type: date
                  description: >
                    The timestamp of when the activity occurred.
        
        - name: authentication_context
          title: Authentication Context
          short: Fields that let you store information about authentication context.
          description: >
            Fields that let you store information about authentication context.
          type: group
          fields:
        
          - name: authentication_provider
            type: keyword
            description: >
              The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.
        
          - name: authentication_step
            type: integer
            description: >
              The authentication step.
        
          - name: credential_provider
            type: keyword
            description: >
              The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.
        
          - name: credential_type
            type: keyword
            description: >
              The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.
        
          - name: issuer
            description: >
              The information about the issuer.
            type: array
            fields:
        
            - name: id
              type: keyword
              description: >
                The identifier of the issuer.
        
            - name: type
              type: keyword
              description: >
                The type of the issuer.
        
          - name: external_session_id
            type: keyword
            description: >
              The session identifer of the external session if any.
        
          - name: interface
            type: keyword
            description: >
              The interface used. e.g., Outlook, Office365, wsTrust
        
        - name: security_context
          title: Security Context
          short: Fields that let you store information about security context.
          description: >
            Fields that let you store information about security context.
          type: group
          fields:
        
          - name: as
            type: group
            description: >
              The autonomous system.
            fields:
        
            - name: number
              type: integer
              description: >
                The AS number.
        
            - name: organization
              type: group
              description: >
                The organization that owns the AS number.
              fields:
        
              - name: name
                type: keyword
                description: >
                  The organization name.
        
          - name: isp
            type: keyword
            description: >
              The Internet Service Provider.
        
          - name: domain
            type: keyword
            description: >
              The domain name.
        
          - name: is_proxy
            type: boolean
            description: >
              Whether it is a proxy or not.
        
        - name: request
          title: Request
          short: Fields that let you store information about the request.
          description: >
            Fields that let you store information about the request, in the form of list of ip_chain.
          type: group
          fields:
        
          - name: ip_chain
            description: >
              List of ip_chain objects.
            type: group
            fields:
        
            - name: ip
              type: ip
              description: >
                IP address.
        
            - name: version
              type: keyword
              description: >
                IP version. Must be one of V4, V6.
        
            - name: source
              type: keyword
              description: >
                Source information.
        
            - name: geographical_context
              description: >
                Geographical information.
              type: group
              fields:
        
              - name: city
                type: keyword
                description: The city.
        
              - name: state
                type: keyword
                description: The state.
        
              - name: postal_code
                type: keyword
                description: The postal code.
        
              - name: country
                type: keyword
                description: The country.
        
              - name: geolocation
                description: >
                  Geolocation information.
                type: geo_point
- key: oracle
  title: Oracle
  description: >
    Oracle Module
  fields:
    - name: oracle
      type: group
      description: >
        Fields from Oracle logs.
      fields:
        - name: database_audit
          type: group
          description: >
            Module for parsing Oracle Database audit logs
          fields:
            - name: status
              type: keyword
              description: >
                Database Audit Status.
        
            - name: session_id
              type: keyword
              description: >
                Indicates the audit session ID number.
        
            - name: client.terminal
              type: keyword
              description: >
                If available, the client terminal type, for example "pty".
        
            - name: client.address
              type: keyword
              description: >
                The IP Address or Domain used by the client.
        
            - name: client.user
              type: keyword
              description: >
                The user running the client or connection to the database.
        
            - name: database.user
              type: keyword
              description: >
                The database user used to authenticate.
        
            - name: privilege
              type: keyword
              description: >
                The privilege group related to the database user.
        
            - name: entry.id
              type: keyword
              description: >
                Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records.
        
            - name: database.host
              type: keyword
              description: >
                Client host machine name.
        
            - name: action
              type: keyword
              description: >
                The action performed during the audit event. This could for example be the raw query.
        
            - name: action_number
              type: keyword
              description: >
                Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.
        
            - name: database.id
              type: keyword
              description: >
                Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.
        
            - name: length
              type: long
              description: >
                Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.
- key: panw
  title: panw
  description: >
    Module for Palo Alto Networks (PAN-OS)
  fields:
    - name: panw
      type: group
      description: >
        Fields from the panw module.
      fields:
         - name: panos
           type: group
           description: >
             Fields for the Palo Alto Networks PAN-OS logs.
           fields:
            - name: ruleset
              type: keyword
              description: >
                Name of the rule that matched this session.
            - name: source
              type: group
              description: >
                Fields to extend the top-level source object.
              fields:
                - name: zone
                  type: keyword
                  description: >
                    Source zone for this session.
                - name: interface
                  type: keyword
                  description: >
                    Source interface for this session.
                - name: nat
                  type: group
                  description: >
                    Post-NAT source address, if source NAT is performed.
                  fields:
                  - name: ip
                    type: ip
                    description: >
                      Post-NAT source IP.
                  - name: port
                    type: long
                    description: >
                      Post-NAT source port.
        
            - name: destination
              type: group
              description: >
                Fields to extend the top-level destination object.
              fields:
                - name: zone
                  type: keyword
                  description: >
                    Destination zone for this session.
                - name: interface
                  type: keyword
                  description: >
                    Destination interface for this session.
                - name: nat
                  type: group
                  description: >
                    Post-NAT destination address, if destination NAT is performed.
                  fields:
                    - name: ip
                      type: ip
                      description: >
                        Post-NAT destination IP.
                    - name: port
                      type: long
                      description: >
                        Post-NAT destination port.
        
            - name: endreason
              type: keyword
              description: >
                The reason a session terminated.
        
            - name: network
              type: group
              description: >
                Fields to extend the top-level network object.
              fields:
                - name: pcap_id
                  type: keyword
                  description: >
                    Packet capture ID for a threat.
        
                - name: nat
                  type: group
                  fields:
                    - name: community_id
                      type: keyword
                      description: >
                        Community ID flow-hash for the NAT 5-tuple.
        
            - name: file
              type: group
              description: >
                Fields to extend the top-level file object.
              fields:
                - name: hash
                  description: >
                    Binary hash for a threat file sent to be analyzed
                    by the WildFire service.
                  type: keyword
        
            - name: url
              type: group
              description: >
                Fields to extend the top-level url object.
              fields:
                - name: category
                  type: keyword
                  description: >
                    For threat URLs, it's the URL category.
                    For WildFire, the verdict on the file and is
                    either 'malicious', 'grayware', or 'benign'.
        
            - name: flow_id
              type: keyword
              description: >
                Internal numeric identifier for each session.
        
            - name: sequence_number
              type: long
              description: >
                Log entry identifier that is incremented sequentially.
                Unique for each log type.
        
            - name: threat.resource
              type: keyword
              description: >
                URL or file name for a threat.
        
            - name: threat.id
              type: keyword
              description: >
                Palo Alto Networks identifier for the threat.
        
            - name: threat.name
              type: keyword
              description: >
                Palo Alto Networks name for the threat.
            - name: action
              type: keyword
              description: >-
                Action taken for the session.
            - name: type
              description: >-
                Specifies the type of the log
            - name: sub_type
              description: >-
                Specifies the sub type of the log
        
            - name: virtual_sys
              type: keyword
              description: >
                Virtual system instance
        
            - name: client_os_ver
              type: keyword
              description: >
                The client device’s OS version.
        
            - name: client_os
              type: keyword
              description: >
                The client device’s OS version.
        
            - name: client_ver
              type: keyword
              description: >
                The client’s GlobalProtect app version.
        
            - name: stage
              type: keyword
              example: before-login
              description: >
                A string showing the stage of the connection
        
            - name: actionflags
              type: keyword
              description: >
                A bit field indicating if the log was forwarded to Panorama.
        
            - name: error
              type: keyword
              description: >
                A string showing that error that has occurred in any event.
        
            - name: error_code
              type: integer
              description: >
                An integer associated with any errors that occurred.
        
            - name: repeatcnt
              type: integer
              description: >
                The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.
        
            - name: serial_number
              type: keyword
              description: >
                The serial number of the user’s machine or device.
        
            - name: auth_method
              type: keyword
              example: LDAP
              description: >
                A string showing the authentication type
        
            - name: datasource
              type: keyword
              description: >
                Source from which mapping information is collected.
        
            - name: datasourcetype
              type: keyword
              description: >
                Mechanism used to identify the IP/User mappings within a data source.
        
            - name: datasourcename
              type: keyword
              description: >
                User-ID source that sends the IP (Port)-User Mapping.
        
            - name: factorno
              type: integer
              description: >
                Indicates the use of primary authentication (1) or additional factors (2, 3).
        
            - name: factortype
              type: keyword
              description: >
                Vendor used to authenticate a user when Multi Factor authentication is present.
        
            - name: factorcompletiontime
              type: date
              description: >
                Time the authentication was completed.
        
            - name: ugflags
              type: keyword
              description: |
                Displays whether the user group that was found during user group mapping. Supported values are:
                User Group Found—Indicates whether the user could be mapped to a group.
                Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
        
            - name: device_group_hierarchy
              type: group
              description: >
                A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
                If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
              fields:
                - name: level_1
                  type: keyword
                  description: >
                    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
                    If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
        
                - name: level_2
                  type: keyword
                  description: >
                    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
                    If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
        
                - name: level_3
                  type: keyword
                  description: >
                    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
                    If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
        
                - name: level_4
                  type: keyword
                  description: >
                    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
                    If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
        
            - name: timeout
              type: integer
              description: >
                Timeout after which the IP/User Mappings are cleared.
        
            - name: vsys_id
              type: keyword
              description: >
                A unique identifier for a virtual system on a Palo Alto Networks firewall.
        
            - name: vsys_name
              type: keyword
              description: >
                The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
        
            - name: description
              type: keyword
              description: >
                Additional information for any event that has occurred.
        
            - name: tunnel_type
              type: keyword
              description: >
                The type of tunnel (either SSLVPN or IPSec).
        
            - name: connect_method
              type: keyword
              description: >
                A string showing the how the GlobalProtect app connects to Gateway
        
            - name: matchname
              type: keyword
              description: >
                Name of the HIP object or profile.
        
            - name: matchtype
              type: keyword
              description: >
                Whether the hip field represents a HIP object or a HIP profile.
        
            - name: priority
              type: keyword
              description: >
                The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.
        
            - name: response_time
              type: keyword
              description: >
                The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup.
        
            - name: attempted_gateways
              type: keyword
              description: >
                The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority
        
            - name: gateway
              type: keyword
              description: >
                The name of the gateway that is specified on the portal configuration.
        
            - name: selection_type
              type: keyword
              description: >
                The connection method that is selected to connect to the gateway.
- key: proofpoint
  title: Proofpoint Email Security
  description: >
    proofpoint fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: rabbitmq
  title: "RabbitMQ"
  description: >
    RabbitMQ Module
  fields:
    - name: rabbitmq
      type: group
      description: >
      fields:
        - name: log
          type: group
          description: >
            RabbitMQ log files
          fields:
            - name: pid
              type: keyword
              description: The Erlang process id
              example: <0.222.0>
- key: radware
  title: Radware DefensePro
  description: >
    radware fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: salesforce
  title: "Salesforce"
  description: >
    Salesforce Module
  fields:
        - name: salesforce
          type: group
          release: beta
          description: >
            Fileset for ingesting Salesforce Apex logs.
          fields:
            - name: access_mode
              type: keyword
              description: >
                The mode of collecting logs from Salesforce - "rest" or "stream".
            - name: apex
              type: group
              release: beta
              description: >
                Fileset for ingesting Salesforce Apex logs.
              fields:
                - name: action
                  type: keyword
                  description: >
                    Action performed by the callout.
                - name: callout_time
                  type: keyword
                  description: >
                    Time spent waiting on webservice callouts, in milliseconds.
                - name: class_name
                  type: keyword
                  description: >
                    The Apex class name. If the class is part of a managed package, this string includes the package namespace.
                - name: client_name
                  type: keyword
                  description: >
                    The name of the client that's using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didnt specify a client in the CallOptions header.
                - name: cpu_time
                  type: keyword
                  description: >
                    The CPU time in milliseconds used to complete the request.
                - name: db_blocks
                  type: keyword
                  description: >
                    Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance.
                - name: db_cpu_time
                  type: keyword
                  description: >
                    The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request.
                - name: db_total_time
                  type: keyword
                  description: >
                    Time (in milliseconds) spent waiting for database processing in aggregate for all operations in the request. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code.
                - name: entity
                  type: keyword
                  description: >
                    Name of the external object being accessed.
                - name: entity_name
                  type: keyword
                  description: >
                    The name of the object affected by the trigger.
                - name: entry_point
                  type: keyword
                  description: >
                    The entry point for this Apex execution.
                - name: event_type
                  type: keyword
                  description: >
                    The type of event. The value is always ApexCallout.
                - name: execute_ms
                  type: keyword
                  description: >
                    How long it took (in milliseconds) for Salesforce to prepare and execute the query. Available in API version 42.0 and later.
                - name: fetch_ms
                  type: keyword
                  description: >
                    How long it took (in milliseconds) to retrieve the query results from the external system. Available in API version 42.0 and later.
                - name: filter
                  type: keyword
                  description: >
                    Field expressions to filter which rows to return. Corresponds to WHERE in SOQL queries.
                - name: is_long_running_request
                  type: keyword
                  description: >
                    Indicates whether the request is counted against your org's concurrent long-running Apex request limit (true) or not (false).
                - name: limit
                  type: keyword
                  description: >
                    Maximum number of rows to return for a query. Corresponds to LIMIT in SOQL queries.
                - name: limit_usage_percent
                  type: keyword
                  description: >
                    The percentage of Apex SOAP calls that were made against the organization's limit.
                - name: login_key
                  type: keyword
                  description: >
                    The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring.
                - name: media_type
                  type: keyword
                  description: >
                    The media type of the response.
                - name: message
                  type: keyword
                  description: >
                    Error or warning message associated with the failed call.
                - name: method_name
                  type: keyword
                  description: >
                    The name of the calling Apex method.
                - name: number_fields
                  type: keyword
                  description: >
                    The number of fields or columns, where applicable.
                - name: number_soql_queries
                  type: keyword
                  description: >
                    The number of SOQL queries that were executed during the event.
                - name: offset
                  type: keyword
                  description: >
                    Number of rows to skip when paging through a result set. Corresponds to OFFSET in SOQL queries.
                - name: orderby
                  type: keyword
                  description: >
                    Field or column to use for sorting query results, and whether to sort the results in ascending (default) or descending order. Corresponds to ORDER BY in SOQL queries.
                - name: organization_id
                  type: keyword
                  description: >
                    The 15-character ID of the organization.
                - name: query
                  type: keyword
                  description: >
                    The SOQL query, if one was performed.
                - name: quiddity
                  type: keyword
                  description: >
                    The type of outer execution associated with this event.
                - name: request.id
                  type: keyword
                  description: >
                    The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID.
                - name: request.status
                  type: keyword
                  description: >
                    The status of the request for a page view or user interface action.
                - name: rows.total
                  type: keyword
                  description: >
                    Total number of records in the result set. The value is always -1 if the custom adapter's DataSource.Provider class doesn't declare the QUERY_TOTAL_SIZE capability.
                - name: rows.fetched
                  type: keyword
                  description: >
                    Number of rows fetched by the callout. Available in API version 42.0 and later.
                - name: rows.processed
                  type: keyword
                  description: >
                    The number of rows that were processed in the request.
                - name: run_time
                  type: keyword
                  description: >
                    Not used for this event type. Use the TIME field instead.
                - name: select
                  type: keyword
                  description: >
                    Comma-separated list of fields being queried. Corresponds to SELECT in SOQL queries.
                - name: subqueries
                  type: keyword
                  description: >
                    Reserved for future use.
                - name: throughput
                  type: keyword
                  description: >
                    Number of records retrieved in one second.
                - name: trigger
                  type: group
                  fields:
                    - name: id
                      type: keyword
                      description: >
                        The 15-character ID of the trigger that was fired.
                    - name: name
                      type: keyword
                      description: >
                        For triggers coming from managed packages, TRIGGER_NAME includes a namespace prefix separated with a . character. If no namespace prefix is present, the trigger is from an unmanaged trigger.
                    - name: type
                      type: keyword
                      description: >
                        The type of this trigger.
                - name: type
                  type: keyword
                  description: >
                    The type of Apex callout.
                - name: uri
                  type: keyword
                  description: >
                    The URI of the page that's receiving the request.
                - name: uri_id_derived
                  type: keyword
                  description: >
                    The 18-character case-safe ID of the URI of the page that's receiving the request.
                - name: user_agent
                  type: keyword
                  description: >
                    The numeric code for the type of client used to make the request (for example, the browser, application, or API).
                - name: user_id_derived
                  type: keyword
                  description: >
                    The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API.
        - name: salesforce.login
          type: group
          release: beta
          description: >
            Fileset for ingesting Salesforce Login (REST) logs.
          fields:
            - name: api_type
              type: keyword
              description: >
                The type of API request.
            - name: api_version
              type: keyword
              description: >
                The version of the API that’s being used.
            - name: login_key
              type: keyword
              description: >
                The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring.
            - name: authentication_method_reference
              type: keyword
              description: >
                The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. This field is available in API version 51.0 and later.
            - name: client_ip
              type: keyword
              description: >
                The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”.
            - name: cpu_time
              type: keyword
              description: >
                The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer.
            - name: db_total_time
              type: keyword
              description: >
                The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB_CPU_TIME. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code.
            - name: event_type
              type: keyword
              description: >
                The type of event. The value is always Login.
            - name: organization_id
              type: keyword
              description: >
                The 15-character ID of the organization.
            - name: request_id
              type: keyword
              description: >
                The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID.
            - name: request_status
              type: keyword
              description: >
                The status of the request for a page view or user interface action.
            - name: run_time
              type: keyword
              description: >
                The amount of time that the request took in milliseconds.
            - name: uri_id_derived
              type: keyword
              description: >
                The 18-character case insensitive ID of the URI of the page that’s receiving the request.
            - name: user_id_derived
              type: keyword
              description: >
                The 18-character case insensitive ID of the user who’s using Salesforce services through the UI or the API.
        - name: salesforce.login
          type: group
          release: beta
          description: >
            Fileset for ingesting Salesforce Login (Streaming) logs.
          fields:
            - name: application
              type: keyword
              description: >
                The application used to access the org. Possible values include: AppExchange, Browser, Salesforce for iOS, Salesforce Developers API Explorer, N/A
            - name: auth_method_reference
              type: keyword
              description: >
                The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol.
            - name: auth_service_id
              type: keyword
              description: >
                The 18-character ID for an authentication service for a login event.
            - name: client_version
              type: keyword
              description: >
                The version number of the login client. If no version number is available, “Unknown” is returned.
            - name: created_by_id
              type: keyword
              description: >
                Unavailable
            - name: evaluation_time
              type: keyword
              description: >
                The amount of time it took to evaluate the transaction security policy, in milliseconds.
            - name: login_geo_id
              type: keyword
              description: >
                The Salesforce ID of the LoginGeo object associated with the login user’s IP address.
            - name: login_history_id
              type: keyword
              description: >
                Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and LoginHistory objects, making it easier to trace events back to a user’s original authentication.
            - name: login_type
              type: keyword
              description: >
                The type of login used to access the session.
            - name: policy_id
              type: keyword
              description: >
                The ID of the transaction security policy associated with this event.
            - name: policy_outcome
              type: keyword
              description: >
                The result of the transaction policy.
            - name: related_event_identifier
              type: keyword
              description: >
                This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.
            - name: session_level
              type: keyword
              description: >
                Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD
        - name: salesforce.logout
          type: group
          release: beta
          description: >
            Fileset for parsing Salesforce Logout (REST) logs.
          fields:
            - name: session_level
              type: keyword
              description: >
                Indicates the session-level security of the session that the user is logging out of for this event. Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD
            - name: login_key
              type: keyword
              description: >
                The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring.
            - name: api_type
              type: keyword
              description: >
                The type of API request.
            - name: api_version
              type: keyword
              description: >
                The version of the API that’s being used.
            - name: app_type
              type: keyword
              description: >
                The application type that was in use upon logging out.
            - name: browser_type
              type: keyword
              description: >
                The identifier string returned by the browser used at login.
            - name: client_version
              type: keyword
              description: >
                The version of the client that was in use upon logging out.
            - name: event_type
              type: keyword
              description: >
                The type of event. The value is always Logout.
            - name: organization_by_id
              type: keyword
              description: >
                The 15-character ID of the organization.
            - name: platform_type
              type: keyword
              description: >
                The code for the client platform. If a timeout caused the logout, this field is null.
            - name: resolution_type
              type: keyword
              description: >
                The screen resolution of the client. If a timeout caused the logout, this field is null.
            - name: session_type
              type: keyword
              description: >
                The session type that was used when logging out.
            - name: user_id_derived
              type: keyword
              description: >
                The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API.
            - name: user_initiated_logout
              type: keyword
              description: >
                The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user’s session timed out due to inactivity or another implicit logout action, the value is 0.
        - name: salesforce.logout
          type: group
          release: beta
          description: >
            Fileset for parsing Salesforce Logout (Streaming) logs.
          fields:
            - name: created_by_id
              type: keyword
              description: >
                Unavailable
            - name: related_event_identifier
              type: keyword
              description: >
                This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.
            - name: replay_id
              type: keyword
              description: >
                Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window.
            - name: schema
              type: keyword
              description: >
                Unavailable
        - name: salesforce.setup_audit_trail
          type: group
          release: beta
          description: >
            Fileset for ingesting Salesforce SetupAuditTrail logs.
          fields:
            - name: event_type
              type: keyword
              description: >
                Event type
            - name: created_by_context
              type: keyword
              description: >
                The context under which the Setup change was made. For example, if Einstein uses cloud-to-cloud services to make a change in Setup, the value of this field is Einstein.
            - name: created_by_id
              type: keyword
              description: >
                Unknown
            - name: created_by_issuer
              type: keyword
              description: >
                Reserved for future use.
            - name: delegate_user
              type: keyword
              description: >
                The Login-As user who executed the action in Setup. If a Login-As user didn’t perform the action, this field is blank. This field is available in API version 35.0 and later.
            - name: display
              type: keyword
              description: >
                The full description of changes made in Setup. For example, if the Action field has a value of PermSetCreate, the Display field has a value like “Created permission set MAD: with user license Salesforce.
            - name: responsible_namespace_prefix
              type: keyword
              description: >
                Unknown
            - name: section
              type: keyword
              description: >
                The section in the Setup menu where the action occurred. For example, Manage Users or Company Profile.
- key: snort
  title: Snort/Sourcefire
  description: >
    snort fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: snyk
  title: Snyk
  description: >
    Snyk module
  fields:
    - name: snyk
      type: group
      release: beta
      description: >
        Module for parsing Snyk project vulnerabilities.
      fields:
        - name: projects
          type: flattened
          description: >
            Array with all related projects objects.
        - name: related.projects
          type: keyword
          description: >
            Array of all the related project ID's.

        - name: audit
          type: group
          release: beta
          description: >
            Module for parsing Snyk audit logs.
          fields:
            - name: org_id
              type: keyword
              description: >
                ID of the related Organization related to the event.
            - name: project_id
              type: keyword
              description: >
                ID of the project related to the event.
            - name: content
              type: flattened
              description: >
                Overview of the content that was changed, both old and new values.
        - name: vulnerabilities
          type: group
          release: beta
          description: >
            Module for parsing Snyk project vulnerabilities.
          fields:
            - name: cvss3
              type: keyword
              description: >
                CSSv3 scores.
            - name: disclosure_time
              type: date
              description: >
                The time this vulnerability was originally disclosed to the package maintainers.
            - name: exploit_maturity
              type: keyword
              description: >
                The Snyk exploit maturity level.
            - name: id
              type: keyword
              description: >
                The vulnerability reference ID.
            - name: is_ignored
              type: boolean
              description: >
                If the vulnerability report has been ignored.
            - name: is_patchable
              type: boolean
              description: >
                If vulnerability is fixable by using a Snyk supplied patch.
            - name: is_patched
              type: boolean
              description: >
                If the vulnerability has been patched.
            - name: is_pinnable
              type: boolean
              description: >
                If the vulnerability is fixable by pinning a transitive dependency.
            - name: is_upgradable
              type: boolean
              description: >
                If the vulnerability fixable by upgrading a dependency.
            - name: language
              type: keyword
              description: >
                The package's programming language.
            - name: package
              type: keyword
              description: >
                The package identifier according to its package manager.
            - name: package_manager
              type: keyword
              description: >
                The package manager.
            - name: patches
              type: flattened
              description: >
                Patches required to resolve the issue created by Snyk.
            - name: priority_score
              type: long
              description: >
                The CVS priority score.
            - name: publication_time
              type: date
              description: >
                The vulnerability publication time.
            - name: jira_issue_url
              type: keyword
              description: >
                Link to the related Jira issue.
            - name: original_severity
              type: long
              description: >
                The original severity of the vulnerability.
            - name: reachability
              type: keyword
              description: >
                If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable.
            - name: title
              type: keyword
              description: >
                The issue title.
            - name: type
              type: keyword
              description: >
                The issue type. Can be either "license" or "vulnerability".
            - name: unique_severities_list
              type: keyword
              description: >
                A list of related unique severities.
            - name: version
              type: keyword
              description: >
                The package version this issue is applicable to.
            - name: introduced_date
              type: date
              description: >
                The date the vulnerability was initially found.
            - name: is_fixed
              type: boolean
              description: >
                If the related vulnerability has been resolved.
            - name: credit
              type: keyword
              description: >
                Reference to the person that original found the vulnerability.
            - name: semver
              type: flattened
              description: >
                One or more semver ranges this issue is applicable to. The format varies according to package manager.
            - name: identifiers.alternative
              type: keyword
              description: >
                Additional vulnerability identifiers.
            - name: identifiers.cwe
              type: keyword
              description: >
                CWE vulnerability identifiers.
- key: sonicwall
  title: Sonicwall-FW
  description: >
    sonicwall fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: sophos
  title: "sophos"
  description: >
    sophos Module
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
        - name: sophos.xg
          type: group
          release: beta
          description: >
            Module for parsing sophosxg syslog.
          fields:
            - name: action
              type: keyword
              description: |
                Event Action
            - name: activityname
              type: keyword
              description: |
                Web policy activity that matched and caused the policy result.
            - name: ap
              type: keyword
              description: |
                Access Point Serial ID or LocalWifi0 or LocalWifi1.
            - name: app_category
              type: keyword
              description: |
                Name of the category under which application falls
            - name: app_filter_policy_id
              type: keyword
              description: |
                Application filter policy ID applied on the traffic
            - name: app_is_cloud
              type: keyword
              description: |
                Application is Cloud
            - name: app_name
              type: keyword
              description: |
                Application name
            - name: app_resolved_by
              type: keyword
              description: |
                Application is resolved by signature or synchronized application
            - name: app_risk
              type: keyword
              description: |
                Risk level assigned to the application
            - name: app_technology
              type: keyword
              description: |
                Technology of the application
            - name: appfilter_policy_id
              type: integer
              description: |
                Application Filter policy applied on the traffic
            - name: application
              type: keyword
              description: |
                Application name
            - name: application_category
              type: keyword
              description: |
                Application is resolved by signature or synchronized application
            - name: application_filter_policy
              type: integer
              description: |
                Application Filter policy applied on the traffic
            - name: application_name
              type: keyword
              description: |
                Application name
            - name: application_risk
              type: keyword
              description: |
                Risk level assigned to the application
            - name: application_technology
              type: keyword
              description: |
                Technology of the application
            - name: appresolvedby
              type: keyword
              description: |
                Technology of the application
            - name: auth_client
              type: keyword
              description: |
                Auth Client
            - name: auth_mechanism
              type: keyword
              description: |
                Auth mechanism
            - name: av_policy_name
              type: keyword
              description: |
                Malware scanning policy name which is applied on the traffic
            - name: backup_mode
              type: keyword
              description: |
                Backup mode
            - name: branch_name
              type: keyword
              description: |
                Branch Name
            - name: category
              type: keyword
              description: |
                IPS signature category.
            - name: category_type
              type: keyword
              description: |
                Type of category under which website falls
            - name: classification
              type: keyword
              description: |
                Signature classification
            - name: client_host_name
              type: keyword
              description: |
                Client host name
            - name: client_physical_address
              type: keyword
              description: |
                Client physical address
            - name: clients_conn_ssid
              type: long
              description: |
                Number of client connected to the SSID.
            - name: collisions
              type: long
              description: |
                collisions
            - name: con_event
              type: keyword
              description: |
                Event Start/Stop
            - name: con_id
              type: integer
              description: |
                Unique identifier of connection
            - name: configuration
              type: float
              description: |
                Configuration
            - name: conn_id
              type: integer
              description: |
                Unique identifier of connection
            - name: connectionname
              type: keyword
              description: |
                Connectionname
            - name: connectiontype
              type: keyword
              description: |
                Connectiontype
            - name: connevent
              type: keyword
              description: |
                Event on which this log is generated
            - name: connid
              type: keyword
              description: |
                Connection ID
            - name: content_type
              type: keyword
              description: |
                Type of the content
            - name: contenttype
              type: keyword
              description: |
                Type of the content
            - name: context_match
              type: keyword
              description: |
                Context Match
            - name: context_prefix
              type: keyword
              description: |
                Content Prefix
            - name: context_suffix
              type: keyword
              description: |
                Context Suffix
            - name: cookie
              type: keyword
              description: |
                cookie
            - name: date
              type: date
              description: |
                Date (yyyy-mm-dd) when the event occurred
            - name: destinationip
              type: ip
              description: |
                Original destination IP address of traffic
            - name: device
              type: keyword
              description: |
                device
            - name: device_id
              type: keyword
              description: |
                Serial number of the device
            - name: device_model
              type: keyword
              description: |
                Model number of the device
            - name: device_name
              type: keyword
              description: |
                Model number of the device
            - name: dictionary_name
              type: keyword
              description: |
                Dictionary Name
            - name: dir_disp
              type: keyword
              description: |
                TPacket direction. Possible values:“org”, “reply”, “”
            - name: direction
              type: keyword
              description: |
                Direction
            - name: domainname
              type: keyword
              description: |
                Domain from which virus was downloaded
            - name: download_file_name
              type: keyword
              description: |
                Download file name
            - name: download_file_type
              type: keyword
              description: |
                Download file type
            - name: dst_country_code
              type: keyword
              description: |
                Code of the country to which the destination IP belongs
            - name: dst_domainname
              type: keyword
              description: |
                Receiver domain name
            - name: dst_ip
              type: ip
              description: |
                Original destination IP address of traffic
            - name: dst_port
              type: integer
              description: |
                Original destination port of TCP and UDP traffic
            - name: dst_zone_type
              type: keyword
              description: |
                Type of destination zone
            - name: dstdomain
              type: keyword
              description: |
                Destination Domain
            - name: duration
              type: long
              description: |
                Durability of traffic (seconds)
            - name: email_subject
              type: keyword
              description: |
                Email Subject
            - name: ep_uuid
              type: keyword
              description: |
                Endpoint UUID
            - name: ether_type
              type: keyword
              description: |
                ethernet frame type
            - name: eventid
              type: keyword
              description: |
                ATP Evenet ID
            - name: eventtime
              type: date
              description: |
                Event time
            - name: eventtype
              type: keyword
              description: |
                ATP event type
            - name: exceptions
              type: keyword
              description: |
                List of the checks excluded by web exceptions.
            - name: execution_path
              type: keyword
              description: |
                ATP execution path
            - name: extra
              type: keyword
              description: |
                extra
            - name: file_name
              type: keyword
              description: |
                Filename
            - name: file_path
              type: keyword
              description: |
                File path
            - name: file_size
              type: integer
              description: |
                File Size
            - name: filename
              type: keyword
              description: |
                File name associated with the event
            - name: filepath
              type: keyword
              description: |
                Path of the file containing virus
            - name: filesize
              type: integer
              description: |
                Size of the file that contained virus
            - name: free
              type: integer
              description: |
                free
            - name: from_email_address
              type: keyword
              description: |
                Sender email address
            - name: ftp_direction
              type: keyword
              description: |
                Direction of FTP transfer: Upload or Download
            - name: ftp_url
              type: keyword
              description: |
                FTP URL from which virus was downloaded
            - name: ftpcommand
              type: keyword
              description: |
                FTP command used when virus was found
            - name: fw_rule_id
              type: integer
              description: |
                Firewall Rule ID which is applied on the traffic
            - name: fw_rule_type
              type: keyword
              description: |
                Firewall rule type which is applied on the traffic
            - name: hb_health
              type: keyword
              description: |
                Heartbeat status
            - name: hb_status
              type: keyword
              description: |
                Heartbeat status
            - name: host
              type: keyword
              description: |
                Host
            - name: http_category
              type: keyword
              description: |
                HTTP Category
            - name: http_category_type
              type: keyword
              description: |
                HTTP Category Type
            - name: httpresponsecode
              type: long
              description: |
                code of HTTP response
            - name: iap
              type: keyword
              description: |
                Internet Access policy ID applied on the traffic
            - name: icmp_code
              type: keyword
              description: |
                ICMP code of ICMP traffic
            - name: icmp_type
              type: keyword
              description: |
                ICMP type of ICMP traffic
            - name: idle_cpu
              type: float
              description: |
                idle ##
            - name: idp_policy_id
              type: integer
              description: |
                IPS policy ID which is applied on the traffic
            - name: idp_policy_name
              type: keyword
              description: |
                IPS policy name i.e. IPS policy name which is applied on the traffic
            - name: in_interface
              type: keyword
              description: |
                Interface for incoming traffic, e.g., Port A
            - name: interface
              type: keyword
              description: |
                interface
            - name: ipaddress
              type: keyword
              description: |
                Ipaddress
            - name: ips_policy_id
              type: integer
              description: |
                IPS policy ID applied on the traffic
            - name: lease_time
              type: keyword
              description: |
                Lease Time
            - name: localgateway
              type: keyword
              description: |
                Localgateway
            - name: localnetwork
              type: keyword
              description: |
                Localnetwork
            - name: log_component
              type: keyword
              description: |
                Component responsible for logging e.g. Firewall rule
            - name: log_id
              type: keyword
              description: |
                Unique 12 characters code (0101011)
            - name: log_subtype
              type: keyword
              description: |
                Sub type of event
            - name: log_type
              type: keyword
              description: |
                Type of event e.g. firewall event
            - name: log_version
              type: keyword
              description: |
                Log Version
            - name: login_user
              type: keyword
              description: |
                ATP login user
            - name: mailid
              type: keyword
              description: |
                mailid
            - name: mailsize
              type: integer
              description: |
                mailsize
            - name: message
              type: keyword
              description: |
                Message
            - name: mode
              type: keyword
              description: |
                Mode
            - name: nat_rule_id
              type: keyword
              description: |
                NAT Rule ID
            - name: newversion
              type: keyword
              description: |
                Newversion
            - name: oldversion
              type: keyword
              description: |
                Oldversion
            - name: out_interface
              type: keyword
              description: |
                Interface for outgoing traffic, e.g., Port B
            - name: override_authorizer
              type: keyword
              description: |
                Override authorizer
            - name: override_name
              type: keyword
              description: |
                Override name
            - name: override_token
              type: keyword
              description: |
                Override token
            - name: phpsessid
              type: keyword
              description: |
                PHP session ID
            - name: platform
              type: keyword
              description: |
                Platform of the traffic.
            - name: policy_type
              type: keyword
              description: |
                Policy type applied to the traffic
            - name: priority
              type: keyword
              description: |
                Severity level of traffic
            - name: protocol
              type: keyword
              description: |
                Protocol number of traffic
            - name: qualifier
              type: keyword
              description: |
                Qualifier
            - name: quarantine
              type: keyword
              description: |
                Path and filename of the file quarantined
            - name: quarantine_reason
              type: keyword
              description: |
                Quarantine reason
            - name: querystring
              type: keyword
              description: |
                querystring
            - name: raw_data
              type: keyword
              description: |
                Raw data
            - name: received_pkts
              type: long
              description: |
                Total number of packets received
            - name: receiveddrops
              type: long
              description: |
                received drops
            - name: receivederrors
              type: keyword
              description: |
                received errors
            - name: receivedkbits
              type: long
              description: |
                received kbits
            - name: recv_bytes
              type: long
              description: |
                Total number of bytes received
            - name: red_id
              type: keyword
              description: |
                RED ID
            - name: referer
              type: keyword
              description: |
                Referer
            - name: remote_ip
              type: ip
              description: |
                Remote IP
            - name: remotenetwork
              type: keyword
              description: |
                remotenetwork
            - name: reported_host
              type: keyword
              description: |
                Reported Host
            - name: reported_ip
              type: keyword
              description: |
                Reported IP
            - name: reports
              type: float
              description: |
                Reports
            - name: rule_priority
              type: keyword
              description: |
                Priority of IPS policy
            - name: sent_bytes
              type: long
              description: |
                Total number of bytes sent
            - name: sent_pkts
              type: long
              description: |
                Total number of packets sent
            - name: server
              type: keyword
              description: |
                Server
            - name: sessionid
              type: keyword
              description: |
                Sessionid
            - name: sha1sum
              type: keyword
              description: |
                SHA1 checksum of the item being analyzed
            - name: signature
              type: float
              description: |
                Signature
            - name: signature_id
              type: keyword
              description: |
                Signature ID
            - name: signature_msg
              type: keyword
              description: |
                Signature messsage
            - name: site_category
              type: keyword
              description: |
                Site Category
            - name: source
              type: keyword
              description: |
                Source
            - name: sourceip
              type: ip
              description: |
                Original source IP address of traffic
            - name: spamaction
              type: keyword
              description: |
                Spam Action
            - name: sqli
              type: keyword
              description: |
                related SQLI caught by the WAF
            - name: src_country_code
              type: keyword
              description: |
                Code of the country to which the source IP belongs
            - name: src_domainname
              type: keyword
              description: |
                Sender domain name
            - name: src_ip
              type: ip
              description: |
                Original source IP address of traffic
            - name: src_mac
              type: keyword
              description: |
                Original source MAC address of traffic
            - name: src_port
              type: integer
              description: |
                Original source port of TCP and UDP traffic
            - name: src_zone_type
              type: keyword
              description: |-
                Type of source zone
            - name: ssid
              type: keyword
              description: |
                Configured SSID name.
            - name: start_time
              type: date
              description: |
                Start time
            - name: starttime
              type: date
              description: |
                Starttime
            - name: status
              type: keyword
              description: |
                Ultimate status of traffic – Allowed or Denied
            - name: status_code
              type: keyword
              description: |
                Status code
            - name: subject
              type: keyword
              description: |
                Email subject
            - name: syslog_server_name
              type: keyword
              description: |
                Syslog server name.
            - name: system_cpu
              type: float
              description: |
                system
            - name: target
              type: keyword
              description: |
                Platform of the traffic.
            - name: temp
              type: float
              description: |
                Temp
            - name: threatname
              type: keyword
              description: |
                ATP threatname
            - name: timestamp
              type: date
              description: |
                timestamp
            - name: timezone
              type: keyword
              description: |
                Time (hh:mm:ss) when the event occurred
            - name: to_email_address
              type: keyword
              description: |
                Receipeint email address
            - name: total_memory
              type: integer
              description: |
                Total Memory
            - name: trans_dst_ip
              type: ip
              description: |
                Translated destination IP address for outgoing traffic
            - name: trans_dst_port
              type: integer
              description: |
                Translated destination port for outgoing traffic
            - name: trans_src_ip
              type: ip
              description: |
                Translated source IP address for outgoing traffic
            - name: trans_src_port
              type: integer
              description: |
                Translated source port for outgoing traffic
            - name: transaction_id
              type: keyword
              description: |
                Transaction ID
            - name: transactionid
              type: keyword
              description: |
                Transaction ID of the AV scan.
            - name: transmitteddrops
              type: long
              description: |
                transmitted drops
            - name: transmittederrors
              type: keyword
              description: |
                transmitted errors
            - name: transmittedkbits
              type: long
              description: |
                transmitted kbits
            - name: unit
              type: keyword
              description: |
                unit
            - name: updatedip
              type: ip
              description: |
                updatedip
            - name: upload_file_name
              type: keyword
              description: |
                Upload file name
            - name: upload_file_type
              type: keyword
              description: |
                Upload file type
            - name: url
              type: keyword
              description: |
                URL from which virus was downloaded
            - name: used
              type: integer
              description: |
                used
            - name: used_quota
              type: keyword
              description: |
                Used Quota
            - name: user
              type: keyword
              description: |
                User
            - name: user_cpu
              type: float
              description: |
                system
            - name: user_gp
              type: keyword
              description: |
                Group name to which the user belongs.
            - name: user_group
              type: keyword
              description: |
                Group name to which the user belongs
            - name: user_name
              type: keyword
              description: |
                user_name
            - name: users
              type: long
              description: |
                Number of users from System Health / Live User events.
            - name: vconn_id
              type: integer
              description: |
                Connection ID of the master connection
            - name: virus
              type: keyword
              description: |
                virus name
            - name: web_policy_id
              type: keyword
              description: |
                Web policy ID
            - name: website
              type: keyword
              description: |
                Website
            - name: xss
              type: keyword
              description: |
                related XSS caught by the WAF
- key: squid
  title: Squid
  description: >
    squid fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: suricata
  title: Suricata
  description: >
    Module for handling the EVE JSON logs produced by Suricata.
  fields:
    - name: suricata
      type: group
      description: >
        Fields from the Suricata EVE log file.
      fields:
        - name: eve
          type: group
          description: >
            Fields exported by the EVE JSON logs
          fields:
            - name: event_type
              type: keyword
        
            - name: app_proto_orig
              type: keyword
        
            - name: tcp
              type: group
              fields:
              - name: tcp_flags
                type: keyword
        
              - name: psh
                type: boolean
        
              - name: tcp_flags_tc
                type: keyword
        
              - name: ack
                type: boolean
        
              - name: syn
                type: boolean
        
              - name: state
                type: keyword
        
              - name: tcp_flags_ts
                type: keyword
        
              - name: rst
                type: boolean
        
              - name: fin
                type: boolean
        
            - name: fileinfo
              type: group
              fields:
              - name: sha1
                type: keyword
        
              - name: tx_id
                type: long
        
              - name: state
                type: keyword
        
              - name: stored
                type: boolean
        
              - name: gaps
                type: boolean
        
              - name: sha256
                type: keyword
        
              - name: md5
                type: keyword
        
            - name: icmp_type
              type: long
        
            - name: pcap_cnt
              type: long
        
            - name: dns
              type: group
              fields:
              - name: type
                type: keyword
        
              - name: rrtype
                type: keyword
        
              - name: rrname
                type: keyword
        
              - name: rdata
                type: keyword
        
              - name: tx_id
                type: long
        
              - name: ttl
                type: long
        
              - name: rcode
                type: keyword
        
              - name: id
                type: long
        
            - name: flow_id
              type: keyword
        
            - name: email
              type: group
              fields:
              - name: status
                type: keyword
        
            - name: icmp_code
              type: long
        
            - name: http
              type: group
              fields:
              - name: redirect
                type: keyword
        
              - name: protocol
                type: keyword
        
              - name: http_content_type
                type: keyword
        
            - name: in_iface
              type: keyword
        
            - name: alert
              type: group
              fields:
              - name: metadata
                type: flattened
                description: Metadata about the alert.
        
              - name: category
                type: keyword
        
              - name: rev
                type: long
        
              - name: gid
                type: long
        
              - name: signature
                type: keyword
        
              - name: signature_id
                type: long
              - name: protocols
                type: keyword
              - name: attack_target
                type: keyword
              - name: capec_id
                type: keyword
              - name: cwe_id
                type: keyword
              - name: malware
                type: keyword
              - name: cve
                type: keyword
              - name: cvss_v2_base
                type: keyword
              - name: cvss_v2_temporal
                type: keyword
              - name: cvss_v3_base
                type: keyword
              - name: cvss_v3_temporal
                type: keyword
              - name: priority
                type: keyword
              - name: hostile
                type: keyword
              - name: infected
                type: keyword
              - name: created_at
                type: date
              - name: updated_at
                type: date
              - name: classtype
                type: keyword
              - name: rule_source
                type: keyword
              - name: sid
                type: keyword
              - name: affected_product
                type: keyword
              - name: deployment
                type: keyword
              - name: former_category
                type: keyword
              - name: mitre_tool_id
                type: keyword
              - name: performance_impact
                type: keyword
              - name: signature_severity
                type: keyword
              - name: tag
                type: keyword
        
            - name: ssh
              type: group
              fields:
              - name: client
                type: group
                fields:
                - name: proto_version
                  type: keyword
        
                - name: software_version
                  type: keyword
        
              - name: server
                type: group
                fields:
                - name: proto_version
                  type: keyword
        
                - name: software_version
                  type: keyword
        
            - name: stats
              type: group
              fields:
              - name: capture
                type: group
                fields:
                - name: kernel_packets
                  type: long
        
                - name: kernel_drops
                  type: long
        
                - name: kernel_ifdrops
                  type: long
        
              - name: uptime
                type: long
        
              - name: detect
                type: group
                fields:
                - name: alert
                  type: long
        
              - name: http
                type: group
                fields:
                - name: memcap
                  type: long
        
                - name: memuse
                  type: long
        
              - name: file_store
                type: group
                fields:
                - name: open_files
                  type: long
        
              - name: defrag
                type: group
                fields:
                - name: max_frag_hits
                  type: long
        
                - name: ipv4
                  type: group
                  fields:
                  - name: timeouts
                    type: long
        
                  - name: fragments
                    type: long
        
                  - name: reassembled
                    type: long
        
                - name: ipv6
                  type: group
                  fields:
                  - name: timeouts
                    type: long
        
                  - name: fragments
                    type: long
        
                  - name: reassembled
                    type: long
        
              - name: flow
                type: group
                fields:
                - name: tcp_reuse
                  type: long
        
                - name: udp
                  type: long
        
                - name: memcap
                  type: long
        
                - name: emerg_mode_entered
                  type: long
        
                - name: emerg_mode_over
                  type: long
        
                - name: tcp
                  type: long
        
                - name: icmpv6
                  type: long
        
                - name: icmpv4
                  type: long
        
                - name: spare
                  type: long
        
                - name: memuse
                  type: long
        
              - name: tcp
                type: group
                fields:
                - name: pseudo_failed
                  type: long
        
                - name: ssn_memcap_drop
                  type: long
        
                - name: insert_data_overlap_fail
                  type: long
        
                - name: sessions
                  type: long
        
                - name: pseudo
                  type: long
        
                - name: synack
                  type: long
        
                - name: insert_data_normal_fail
                  type: long
        
                - name: syn
                  type: long
        
                - name: memuse
                  type: long
        
                - name: invalid_checksum
                  type: long
        
                - name: segment_memcap_drop
                  type: long
        
                - name: overlap
                  type: long
        
                - name: insert_list_fail
                  type: long
        
                - name: rst
                  type: long
        
                - name: stream_depth_reached
                  type: long
        
                - name: reassembly_memuse
                  type: long
        
                - name: reassembly_gap
                  type: long
        
                - name: overlap_diff_data
                  type: long
        
                - name: no_flow
                  type: long
        
              - name: decoder
                type: group
                fields:
                - name: avg_pkt_size
                  type: long
        
                - name: bytes
                  type: long
        
                - name: tcp
                  type: long
        
                - name: raw
                  type: long
        
                - name: ppp
                  type: long
        
                - name: vlan_qinq
                  type: long
        
                - name: 'null'
                  type: long
        
                - name: ltnull
                  type: group
                  fields:
                  - name: unsupported_type
                    type: long
        
                  - name: pkt_too_small
                    type: long
        
                - name: invalid
                  type: long
        
                - name: gre
                  type: long
        
                - name: ipv4
                  type: long
        
                - name: ipv6
                  type: long
        
                - name: pkts
                  type: long
        
                - name: ipv6_in_ipv6
                  type: long
        
                - name: ipraw
                  type: group
                  fields:
                  - name: invalid_ip_version
                    type: long
        
                - name: pppoe
                  type: long
        
                - name: udp
                  type: long
        
                - name: dce
                  type: group
                  fields:
                  - name: pkt_too_small
                    type: long
        
                - name: vlan
                  type: long
        
                - name: sctp
                  type: long
        
                - name: max_pkt_size
                  type: long
        
                - name: teredo
                  type: long
        
                - name: mpls
                  type: long
        
                - name: sll
                  type: long
        
                - name: icmpv6
                  type: long
        
                - name: icmpv4
                  type: long
        
                - name: erspan
                  type: long
        
                - name: ethernet
                  type: long
        
                - name: ipv4_in_ipv6
                  type: long
        
                - name: ieee8021ah
                  type: long
        
              - name: dns
                type: group
                fields:
                - name: memcap_global
                  type: long
        
                - name: memcap_state
                  type: long
        
                - name: memuse
                  type: long
        
              - name: flow_mgr
                type: group
                fields:
                - name: rows_busy
                  type: long
        
                - name: flows_timeout
                  type: long
        
                - name: flows_notimeout
                  type: long
        
                - name: rows_skipped
                  type: long
        
                - name: closed_pruned
                  type: long
        
                - name: new_pruned
                  type: long
        
                - name: flows_removed
                  type: long
        
                - name: bypassed_pruned
                  type: long
        
                - name: est_pruned
                  type: long
        
                - name: flows_timeout_inuse
                  type: long
        
                - name: flows_checked
                  type: long
        
                - name: rows_maxlen
                  type: long
        
                - name: rows_checked
                  type: long
        
                - name: rows_empty
                  type: long
        
              - name: app_layer
                type: group
                fields:
                - name: flow
                  type: group
                  fields:
                  - name: tls
                    type: long
        
                  - name: ftp
                    type: long
        
                  - name: http
                    type: long
        
                  - name: failed_udp
                    type: long
        
                  - name: dns_udp
                    type: long
        
                  - name: dns_tcp
                    type: long
        
                  - name: smtp
                    type: long
        
                  - name: failed_tcp
                    type: long
        
                  - name: msn
                    type: long
        
                  - name: ssh
                    type: long
        
                  - name: imap
                    type: long
        
                  - name: dcerpc_udp
                    type: long
        
                  - name: dcerpc_tcp
                    type: long
        
                  - name: smb
                    type: long
        
                - name: tx
                  type: group
                  fields:
                  - name: tls
                    type: long
        
                  - name: ftp
                    type: long
        
                  - name: http
                    type: long
        
                  - name: dns_udp
                    type: long
        
                  - name: dns_tcp
                    type: long
        
                  - name: smtp
                    type: long
        
                  - name: ssh
                    type: long
        
                  - name: dcerpc_udp
                    type: long
        
                  - name: dcerpc_tcp
                    type: long
        
                  - name: smb
                    type: long
        
            - name: tls
              type: group
              fields:
              - name: notbefore
                type: date
        
              - name: issuerdn
                type: keyword
        
              - name: sni
                type: keyword
        
              - name: version
                type: keyword
        
              - name: session_resumed
                type: boolean
        
              - name: fingerprint
                type: keyword
        
              - name: serial
                type: keyword
        
              - name: notafter
                type: date
        
              - name: subject
                type: keyword
        
              - name: ja3s
                type: group
                fields:
                  - name: string
                    type: keyword
                  - name: hash
                    type: keyword
        
              - name: ja3
                type: group
                fields:
                  - name: string
                    type: keyword
                  - name: hash
                    type: keyword
        
            - name: app_proto_ts
              type: keyword
        
            - name: flow
              type: group
              fields:
              - name: age
                type: long
        
              - name: state
                type: keyword
        
              - name: reason
                type: keyword
        
              - name: alerted
                type: boolean
        
            - name: tx_id
              type: long
        
            - name: app_proto_tc
              type: keyword
        
            - name: smtp
              type: group
              fields:
              - name: rcpt_to
                type: keyword
        
              - name: mail_from
                type: keyword
        
              - name: helo
                type: keyword
        
            - name: app_proto_expected
              type: keyword
        
            - name: flags
              type: group
              fields:
- key: threatintel
  title: threatintel
  release: ga
  description: >
    Threat intelligence Filebeat Module.
  fields:
    - name: ""
      type: group
      fields:
        - name: threat.indicator.file.hash.tlsh
          type: keyword
          description: >
            The file's import tlsh, if available.

        - name: threat.indicator.file.hash.sha384
          type: keyword
          description: >
            The file's sha384 hash, if available.

        - name: threat.feed.name
          type: keyword

        - name: threat.feed.dashboard_id
          type: keyword
        - name: abusech.malware
          type: group
          description: >
            Fields for AbuseCH Malware Threat Intel
          fields:
          - name: file_type
            type: keyword
            description: >
              File type guessed by URLhaus.
        
          - name: signature
            type: keyword
            description: >
              Malware familiy.
        
          - name: urlhaus_download
            type: keyword
            description: >
              Location (URL) where you can download a copy of this file.
        
          - name: virustotal.result
            type: keyword
            description: >
              AV detection ration.
        
          - name: virustotal.percent
            type: float
            description: >
              AV detection in percent.
        
          - name: virustotal.link
            type: keyword
            description: >
              Link to the Virustotal report.
        - name: abusech.url
          type: group
          description: >
            Fields for AbuseCH Malware Threat Intel
          fields:
          - name: id
            type: keyword
            description: >
              The ID of the url.
        
          - name: urlhaus_reference
            type: keyword
            description: >
              Link to URLhaus entry.
        
          - name: url_status
            type: keyword
            description: >
              The current status of the URL. Possible values are: online, offline and unknown.
        
          - name: threat
            type: keyword
            description: >
              The threat corresponding to this malware URL.
        
          - name: blacklists.surbl
            type: keyword
            description: >
              SURBL blacklist status. Possible values are: listed and not_listed
        
          - name: blacklists.spamhaus_dbl
            type: keyword
            description: >
              Spamhaus DBL blacklist status.
        
          - name: reporter
            type: keyword
            description: >
              The Twitter handle of the reporter that has reported this malware URL (or anonymous).
        
          - name: larted
            type: boolean
            description: >
              Indicates whether the malware URL has been reported to the hosting provider (true or false)
        
          - name: tags
            type: keyword
            description: >
              A list of tags associated with the queried malware URL
        - name: anomali.limo
          type: group
          description: >
            Fields for Anomali Threat Intel
          fields:
          - name: id
            type: keyword
            description: >
              The ID of the indicator.
          - name: name
            type: keyword
            description: >
              The name of the indicator.
          - name: pattern
            type: keyword
            description: >
              The pattern ID of the indicator.
          - name: valid_from
            type: date
            description: >
              When the indicator was first found or is considered valid.
          - name: modified
            type: date
            description: >
              When the indicator was last modified
          - name: labels
            type: keyword
            description: >
              The labels related to the indicator
          - name: indicator
            type: keyword
            description: >
              The value of the indicator, for example if the type is domain, this would be the value.
          - name: description
            type: keyword
            description: >
              A description of the indicator.
          - name: title
            type: keyword
            description: >
              Title describing the indicator.
          - name: content
            type: keyword
            description: >
              Extra text or descriptive content related to the indicator.
          - name: type
            type: keyword
            description: >
              The indicator type, can for example be "domain, email, FileHash-SHA256".
          - name: object_marking_refs
            type: keyword
            description: >
              The STIX reference object.
        - name: anomali.threatstream
          type: group
          description: >
            Fields for Anomali ThreatStream
          fields:
        
          - name: classification
            type: keyword
            description: >
              Indicates whether an indicator is private or from a public feed and available publicly.
              Possible values: private, public.
            example: private
        
          - name: confidence
            type: short
            description: >
              The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators.
        
          - name: detail2
            type: text
            description: >
              Detail text for indicator.
            example: Imported by user 42.
        
          - name: id
            type: keyword
            description: >
              The ID of the indicator.
        
          - name: import_session_id
            type: keyword
            description: >
              ID of the import session that created the indicator on ThreatStream.
        
          - name: itype
            type: keyword
            description: >
              Indicator type.
              Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url",
              "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain",
              "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email",
              "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip",
              "suspicious_domain", "tor_ip" and "torrent_tracker_url".
        
          - name: maltype
            type: wildcard
            description: >
              Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator.
        
          - name: md5
            type: keyword
            description: >
              Hash for the indicator.
        
          - name: resource_uri
            type: keyword
            description: >
              Relative URI for the indicator details.
        
          - name: severity
            type: keyword
            description: >
              Criticality associated with the threat feed that supplied the indicator.
              Possible values: low, medium, high, very-high.
        
          - name: source
            type: keyword
            description: >
              Source for the indicator.
            example: Analyst
        
          - name: source_feed_id
            type: keyword
            description: >
              ID for the integrator source.
        
          - name: state
            type: keyword
            description: >
              State for this indicator.
            example: active
        
          - name: trusted_circle_ids
            type: keyword
            description: >
              ID of the trusted circle that imported the indicator.
        
          - name: update_id
            type: keyword
            description: >
              Update ID.
        
          - name: url
            type: keyword
            description: >
              URL for the indicator.
        
          - name: value_type
            type: keyword
            description: >
              Data type of the indicator.
              Possible values: ip, domain, url, email, md5.
        - name: abusech.malwarebazaar
          type: group
          description: >
            Fields for Malware Bazaar Threat Intel
          fields:
          - name: file_type
            type: keyword
            description: >
              File type guessed by Malware Bazaar.
          - name: signature
            type: keyword
            description: >
              Malware familiy.
          - name: tags
            type: keyword
            description: >
              A list of tags associated with the queried malware sample.
          - name: intelligence
            type: group
            fields:
            - name: downloads
              type: long
              description: >
                Number of downloads from MalwareBazaar.
            - name: uploads
              type: long
              description: >
                Number of uploads from MalwareBazaar.
            - name: mail
              type: group
              fields:
              - name: Generic
                type: keyword
                description: >
                  Malware seen in generic spam traffic.
              - name: IT
                type: keyword
                description: >
                  Malware seen in IT spam traffic.
          - name: anonymous
            type: long
            description: >
              Identifies if the sample was submitted anonymously.
          - name: code_sign
            type: nested
            description: >
              Code signing information for the sample.
        - name: misp
          type: group
          description: >
            Fields for MISP Threat Intel
          fields:
          - name: id
            type: keyword
            description: >
              Attribute ID.
          - name: orgc_id
            type: keyword
            description: >
              Organization Community ID of the event.
          - name: org_id
            type: keyword
            description: >
              Organization ID of the event.
          - name: threat_level_id
            type: long
            description: >
              Threat level from 5 to 1, where 1 is the most critical.
          - name: info
            type: keyword
            description: >
              Additional text or information related to the event.
          - name: published
            type: boolean
            description: >
              When the event was published.
          - name: uuid
            type: keyword
            description: >
              The UUID of the event object.
          - name: date
            type: date
            description: >
              The date of when the event object was created.
          - name: attribute_count
            type: long
            description: >
              How many attributes are included in a single event object.
          - name: timestamp
            type: date
            description: >
              The timestamp of when the event object was created.
          - name: distribution
            type: keyword
            description: >
              Distribution type related to MISP.
          - name: proposal_email_lock
            type: boolean
            description: >
              Settings configured on MISP for email lock on this event object.
          - name: locked
            type: boolean
            description: >
              If the current MISP event object is locked or not.
          - name: publish_timestamp
            type: date
            description: >
              At what time the event object was published
          - name: sharing_group_id
            type: keyword
            description: >
              The ID of the grouped events or sources of the event.
          - name: disable_correlation
            type: boolean
            description: >
              If correlation is disabled on the MISP event object.
          - name: extends_uuid
            type: keyword
            description: >
              The UUID of the event object it might extend.
          - name: org.id
            type: keyword
            description: >
              The organization ID related to the event object.
          - name: org.name
            type: keyword
            description: >
              The organization name related to the event object.
          - name: org.uuid
            type: keyword
            description: >
              The UUID of the organization related to the event object.
          - name: org.local
            type: boolean
            description: >
              If the event object is local or from a remote source.
          - name: orgc.id
            type: keyword
            description: >
              The Organization Community ID in which the event object was reported from.
          - name: orgc.name
            type: keyword
            description: >
              The Organization Community name in which the event object was reported from.
          - name: orgc.uuid
            type: keyword
            description: >
              The Organization Community UUID in which the event object was reported from.
          - name: orgc.local
            type: boolean
            description: >
              If the Organization Community was local or synced from a remote source.
          - name: attribute.id
            type: keyword
            description: >
              The ID of the attribute related to the event object.
          - name: attribute.type
            type: keyword
            description: >
              The type of the attribute related to the event object. For example email, ipv4, sha1 and such.
          - name: attribute.category
            type: keyword
            description: >
              The category of the attribute related to the event object. For example "Network Activity".
          - name: attribute.to_ids
            type: boolean
            description: >
              If the attribute should be automatically synced with an IDS.
          - name: attribute.uuid
            type: keyword
            description: >
              The UUID of the attribute related to the event.
          - name: attribute.event_id
            type: keyword
            description: >
              The local event ID of the attribute related to the event.
          - name: attribute.distribution
            type: long
            description: >
              How the attribute has been distributed, represented by integer numbers.
          - name: attribute.timestamp
            type: date
            description: >
              The timestamp in which the attribute was attached to the event object.
          - name: attribute.comment
            type: keyword
            description: >
              Comments made to the attribute itself.
          - name: attribute.sharing_group_id
            type: keyword
            description: >
              The group ID of the sharing group related to the specific attribute.
          - name: attribute.deleted
            type: boolean
            description: >
              If the attribute has been removed from the event object.
          - name: attribute.disable_correlation
            type: boolean
            description: >
              If correlation has been enabled on the attribute related to the event object.
          - name: attribute.object_id
            type: keyword
            description: >
              The ID of the Object in which the attribute is attached.
          - name: attribute.object_relation
            type: keyword
            description: >
              The type of relation the attribute has with the event object itself.
          - name: attribute.value
            type: keyword
            description: >
              The value of the attribute, depending on the type like "url, sha1, email-src".
          - name: context.attribute.id
            type: keyword
            description: >
              The ID of the secondary attribute related to the event object.
          - name: context.attribute.type
            type: keyword
            description: >
              The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such.
          - name: context.attribute.category
            type: keyword
            description: >
              The category of the secondary attribute related to the event object. For example "Network Activity".
          - name: context.attribute.to_ids
            type: boolean
            description: >
              If the secondary attribute should be automatically synced with an IDS.
          - name: context.attribute.uuid
            type: keyword
            description: >
              The UUID of the secondary attribute related to the event.
          - name: context.attribute.event_id
            type: keyword
            description: >
              The local event ID of the secondary attribute related to the event.
          - name: context.attribute.distribution
            type: long
            description: >
              How the secondary attribute has been distributed, represented by integer numbers.
          - name: context.attribute.timestamp
            type: date
            description: >
              The timestamp in which the secondary attribute was attached to the event object.
          - name: context.attribute.comment
            type: keyword
            description: >
              Comments made to the secondary attribute itself.
          - name: context.attribute.sharing_group_id
            type: keyword
            description: >
              The group ID of the sharing group related to the specific secondary attribute.
          - name: context.attribute.deleted
            type: boolean
            description: >
              If the secondary attribute has been removed from the event object.
          - name: context.attribute.disable_correlation
            type: boolean
            description: >
              If correlation has been enabled on the secondary attribute related to the event object.
          - name: context.attribute.object_id
            type: keyword
            description: >
              The ID of the Object in which the secondary attribute is attached.
          - name: context.attribute.object_relation
            type: keyword
            description: >
              The type of relation the secondary attribute has with the event object itself.
          - name: context.attribute.value
            type: keyword
            description: >
              The value of the attribute, depending on the type like "url, sha1, email-src".
        - name: otx
          type: group
          description: >
            Fields for OTX Threat Intel
          fields:
          - name: id
            type: keyword
            description: >
              The ID of the indicator.
          - name: indicator
            type: keyword
            description: >
              The value of the indicator, for example if the type is domain, this would be the value.
          - name: description
            type: keyword
            description: >
              A description of the indicator.
          - name: title
            type: keyword
            description: >
              Title describing the indicator.
          - name: content
            type: keyword
            description: >
              Extra text or descriptive content related to the indicator.
          - name: type
            type: keyword
            description: >
              The indicator type, can for example be "domain, email, FileHash-SHA256".
        - name: threatq
          type: group
          description: >
            Fields for ThreatQ Threat Library
          fields:
          - name: updated_at
            type: date
            description: >
              Last modification time
          - name: created_at
            type: date
            description: >
              Object creation time
          - name: expires_at
            type: date
            description: >
              Expiration time
          - name: expires_calculated_at
            type: date
            description: >
              Expiration calculation time
          - name: published_at
            type: date
            description: >
              Object publication time
          - name: status
            type: keyword
            description: >
              Object status within the Threat Library
          - name: indicator_value
            type: keyword
            description: >
              Original indicator value
          - name: adversaries
            type: keyword
            description: >
              Adversaries that are linked to the object
          - name: attributes
            type: flattened
            description: >
              These provide additional context about an object
- key: tomcat
  title: Apache Tomcat
  description: >
    tomcat fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: zeek
  title: Zeek
  description: >
    Module for handling logs produced by Zeek/Bro
  fields:
    - name: zeek
      type: group
      description: >
        Fields from Zeek/Bro logs after normalization
      fields:
        - name: session_id
          type: keyword
          description: >
            A unique identifier of the session
        - name: capture_loss
          type: group
          description: >
            Fields exported by the Zeek capture_loss log
          fields:
            - name: ts_delta
              type: integer
              description: |
                The time delay between this measurement and the last.
        
            - name: peer
              type: keyword
              description: |
                In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name.
        
            - name: gaps
              type: integer
              description: |
                Number of missed ACKs from the previous measurement interval.
        
            - name: acks
              type: integer
              description: |
                Total number of ACKs seen in the previous measurement interval.
        
            - name: percent_lost
              type: double
              description: |
                Percentage of ACKs seen where the data being ACKed wasn't seen.
        - name: connection
          type: group
          description: >
            Fields exported by the Zeek Connection log
          fields:
            - name: local_orig
              type: boolean
              description: >
                Indicates whether the session is originated locally.
        
            - name: local_resp
              type: boolean
              description: >
                Indicates whether the session is responded locally.
        
            - name: missed_bytes
              type: long
              description: >
                Missed bytes for the session.
        
            - name: state
              type: keyword
              description: >
                Code indicating the state of the session.
        
            - name: state_message
              type: keyword
              description: >
                The state of the session.
        
            - name: icmp
              type: group
              fields:
                - name: type
                  type: integer
                  description: >
                    ICMP message type.
        
                - name: code
                  type: integer
                  description: >
                    ICMP message code.
        
            - name: history
              type: keyword
              description: >
                Flags indicating the history of the session.
        
            - name: vlan
              type: integer
              description: >
                VLAN identifier.
        
            - name: inner_vlan
              type: integer
              description: >
                VLAN identifier.
        
        - name: dce_rpc
          type: group
          description: >
            Fields exported by the Zeek DCE_RPC log
          fields:
            - name: rtt
              type: integer
              description: |
                Round trip time from the request to the response. If either the request or response wasn't seen, this will be null.
        
            - name: named_pipe
              type: keyword
              description: |
                Remote pipe name.
        
            - name: endpoint
              type: keyword
              description: |
                Endpoint name looked up from the uuid.
        
            - name: operation
              type: keyword
              description: |
                Operation seen in the call.
        - name: dhcp
          type: group
          description: >
            Fields exported by the Zeek DHCP log
          fields:
            - name: domain
              type: keyword
              description: >
                Domain given by the server in option 15.
        
            - name: duration
              type: double
              description: |
                Duration of the DHCP session representing the time from the first
                message to the last, in seconds.
        
            - name: hostname
              type: keyword
              description: >
                Name given by client in Hostname option 12.
        
            - name: client_fqdn
              type: keyword
              description: >
                FQDN given by client in Client FQDN option 81.
        
            - name: lease_time
              type: integer
              description: >
                IP address lease interval in seconds.
        
            - name: address
              type: group
              description: >
                Addresses seen in this DHCP exchange.
              fields:
                - name: assigned
                  type: ip
                  description: >
                    IP address assigned by the server.
        
                - name: client
                  type: ip
                  description: |
                    IP address of the client. If a transaction is only a client sending
                    INFORM messages then there is no lease information exchanged so this
                    is helpful to know who sent the messages. Getting an address in this
                    field does require that the client sources at least one DHCP message
                    using a non-broadcast address.
        
                - name: mac
                  type: keyword
                  description: >
                    Client's hardware address.
        
                - name: requested
                  type: ip
                  description: >
                    IP address requested by the client.
        
                - name: server
                  type: ip
                  description: >
                    IP address of the DHCP server.
        
            - name: msg
              type: group
              fields:
                - name: types
                  type: keyword
                  description: >
                    List of DHCP message types seen in this exchange.
        
                - name: origin
                  type: ip
                  description: |
                    (present if policy/protocols/dhcp/msg-orig.bro is loaded)
                    The address that originated each message from the msg.types field.
        
                - name: client
                  type: keyword
                  description: |
                    Message typically accompanied with a DHCP_DECLINE so the client can
                    tell the server why it rejected an address.
        
                - name: server
                  type: keyword
                  description: |
                    Message typically accompanied with a DHCP_NAK to let the client know
                    why it rejected the request.
        
            - name: software
              type: group
              fields:
                - name: client
                  type: keyword
                  description: |
                    (present if policy/protocols/dhcp/software.bro is loaded)
                    Software reported by the client in the vendor_class option.
        
                - name: server
                  type: keyword
                  description: |
                    (present if policy/protocols/dhcp/software.bro is loaded)
                    Software reported by the client in the vendor_class option.
        
            - name: id
              type: group
              fields:
                - name: circuit
                  type: keyword
                  description: |
                    (present if policy/protocols/dhcp/sub-opts.bro is loaded)
                    Added by DHCP relay agents which terminate switched or permanent
                    circuits. It encodes an agent-local identifier of the circuit from
                    which a DHCP client-to-server packet was received. Typically it
                    should represent a router or switch interface number.
        
                - name: remote_agent
                  type: keyword
                  description: |
                    (present if policy/protocols/dhcp/sub-opts.bro is loaded)
                    A globally unique identifier added by relay agents to identify the
                    remote host end of the circuit.
        
                - name: subscriber
                  type: keyword
                  description: |
                    (present if policy/protocols/dhcp/sub-opts.bro is loaded)
                    The subscriber ID is a value independent of the physical network
                    configuration so that a customer's DHCP configuration can be given
                    to them correctly no matter where they are physically connected.
        - name: dnp3
          type: group
          description: >
            Fields exported by the Zeek DNP3 log
          fields:
            - name: function
              type: group
              fields:
                - name: request
                  type: keyword
                  description: |
                    The name of the function message in the request.
        
                - name: reply
                  type: keyword
                  description: |
                    The name of the function message in the reply.
        
            - name: id
              type: integer
              description: |
                The response's internal indication number.
        
        - name: dns
          type: group
          description: >
            Fields exported by the Zeek DNS log
          fields:
            - name: trans_id
              type: keyword
              description: >
                DNS transaction identifier.
        
            - name: rtt
              type: double
              description: >
                Round trip time for the query and response.
        
            - name: query
              type: keyword
              description: >
                The domain name that is the subject of the DNS query.
        
            - name: qclass
              type: long
              description: >
                The QCLASS value specifying the class of the query.
        
            - name: qclass_name
              type: keyword
              description: >
                A descriptive name for the class of the query.
        
            - name: qtype
              type: long
              description: >
                A QTYPE value specifying the type of the query.
        
            - name: qtype_name
              type: keyword
              description: >
                A descriptive name for the type of the query.
        
            - name: rcode
              type: long
              description: >
                The response code value in DNS response messages.
        
            - name: rcode_name
              type: keyword
              description: >
                A descriptive name for the response code value.
        
            - name: AA
              type: boolean
              description: |
                The Authoritative Answer bit for response messages specifies that the responding
                name server is an authority for the domain name in the question section.
        
            - name: TC
              type: boolean
              description: >
                The Truncation bit specifies that the message was truncated.
        
            - name: RD
              type: boolean
              description: |
                The Recursion Desired bit in a request message indicates that the client
                wants recursive service for this query.
        
            - name: RA
              type: boolean
              description: |
                The Recursion Available bit in a response message indicates that the name
                server supports recursive queries.
        
            - name: answers
              type: keyword
              description: >
                The set of resource descriptions in the query answer.
        
            - name: TTLs
              type: double
              description: >
                The caching intervals of the associated RRs described by the answers field.
        
            - name: rejected
              type: boolean
              description: >
                Indicates whether the DNS query was rejected by the server.
        
            - name: total_answers
              type: integer
              description: >
                The total number of resource records in the reply.
        
            - name: total_replies
              type: integer
              description: >
                The total number of resource records in the reply message.
        
            - name: saw_query
              type: boolean
              description: >
                Whether the full DNS query has been seen.
        
            - name: saw_reply
              type: boolean
              description: >
                Whether the full DNS reply has been seen.
        - name: dpd
          type: group
          description: >
            Fields exported by the Zeek DPD log
          fields:
            - name: analyzer
              type: keyword
              description: >
                The analyzer that generated the violation.
        
            - name: failure_reason
              type: keyword
              description: >
                The textual reason for the analysis failure.
        
            - name: packet_segment
              type: keyword
              description: |
                (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded)
                A chunk of the payload that most likely resulted in the protocol violation.
        - name: files
          type: group
          description: >
            Fields exported by the Zeek Files log.
          fields:
            - name: fuid
              type: keyword
              description: >
                A file unique identifier.
        
            - name: tx_host
              type: ip
              description: >
                The host that transferred the file.
        
            - name: rx_host
              type: ip
              description: >
                The host that received the file.
        
            - name: session_ids
              type: keyword
              description: >
                The sessions that have this file.
        
            - name: source
              type: keyword
              description: |
                An identification of the source of the file data. E.g. it may be a network protocol
                over which it was transferred, or a local file path which was read, or some other
                input source.
        
            - name: depth
              type: long
              description: |
                A value to represent the depth of this file in relation to its source. In SMTP, it
                is the depth of the MIME attachment on the message. In HTTP, it is the depth of the
                request within the TCP connection.
        
            - name: analyzers
              type: keyword
              description: >
                A set of analysis types done during the file analysis.
        
            - name: mime_type
              type: keyword
              description: >
                Mime type of the file.
        
            - name: filename
              type: keyword
              description: >
                Name of the file if available.
        
            - name: local_orig
              type: boolean
              description: |
                If the source of this file is a network connection, this field indicates if the data
                originated from the local network or not.
        
            - name: is_orig
              type: boolean
              description: |
                If the source of this file is a network connection, this field indicates if the file is
                being sent by the originator of the connection or the responder.
        
            - name: duration
              type: double
              description: >
                The duration the file was analyzed for. Not the duration of the session.
        
            - name: seen_bytes
              type: long
              description: >
                Number of bytes provided to the file analysis engine for the file.
        
            - name: total_bytes
              type: long
              description: >
                Total number of bytes that are supposed to comprise the full file.
        
            - name: missing_bytes
              type: long
              description: |
                The number of bytes in the file stream that were completely missed during the process
                of analysis.
        
            - name: overflow_bytes
              type: long
              description: |
                The number of bytes in the file stream that were not delivered to stream file analyzers.
                This could be overlapping bytes or bytes that couldn't be reassembled.
        
            - name: timedout
              type: boolean
              description: >
                Whether the file analysis timed out at least once for the file.
        
            - name: parent_fuid
              type: keyword
              description: |
                Identifier associated with a container file from which this one was extracted as part of
                the file analysis.
        
            - name: md5
              type: keyword
              description: >
                An MD5 digest of the file contents.
        
            - name: sha1
              type: keyword
              description: >
                A SHA1 digest of the file contents.
        
            - name: sha256
              type: keyword
              description: >
                A SHA256 digest of the file contents.
        
            - name: extracted
              type: keyword
              description: >
                Local filename of extracted file.
        
            - name: extracted_cutoff
              type: boolean
              description: >
                Indicate whether the file being extracted was cut off hence not extracted completely.
        
            - name: extracted_size
              type: long
              description: >
                The number of bytes extracted to disk.
        
            - name: entropy
              type: double
              description: >
                The information density of the contents of the file.
        - name: ftp
          type: group
          description: >
            Fields exported by the Zeek FTP log
          fields:
            - name: user
              type: keyword
              description: |
                User name for the current FTP session.
        
            - name: password
              type: keyword
              description: |
                Password for the current FTP session if captured.
        
            - name: command
              type: keyword
              description: |
                Command given by the client.
        
            - name: arg
              type: keyword
              description: |
                Argument for the command if one is given.
        
            - name: file
              type: group
              fields:
                - name: size
                  type: long
                  description: |
                    Size of the file if the command indicates a file transfer.
        
                - name: mime_type
                  type: keyword
                  description: |
                    Sniffed mime type of file.
        
                - name: fuid
                  type: keyword
                  description: |
                    (present if base/protocols/ftp/files.bro is loaded)
                    File unique ID.
        
            - name: reply
              type: group
              fields:
                - name: code
                  type: integer
                  description: |
                    Reply code from the server in response to the command.
        
                - name: msg
                  type: keyword
                  description: |
                    Reply message from the server in response to the command.
        
            - name: data_channel
              type: group
              description: |
                Expected FTP data channel.
              fields:
                - name: passive
                  type: boolean
                  description: |
                    Whether PASV mode is toggled for control channel.
        
                - name: originating_host
                  type: ip
                  description: |
                    The host that will be initiating the data connection.
        
                - name: response_host
                  type: ip
                  description: |
                    The host that will be accepting the data connection.
        
                - name: response_port
                  type: integer
                  description: |
                    The port at which the acceptor is listening for the data connection.
        
            - name: cwd
              type: keyword
              description: |
                Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.
        
            - name: cmdarg
              type: group
              description: |
                Command that is currently waiting for a response.
              fields:
                - name: cmd
                  type: keyword
                  description: |
                    Command.
        
                - name: arg
                  type: keyword
                  description: |
                    Argument for the command if one was given.
        
                - name: seq
                  type: integer
                  description: |
                    Counter to track how many commands have been executed.
        
            - name: pending_commands
              type: integer
              description: |
                Queue for commands that have been sent but not yet responded to are tracked here.
        
            - name: passive
              type: boolean
              description: |
                Indicates if the session is in active or passive mode.
        
            - name: capture_password
              type: boolean
              description: |
                Determines if the password will be captured for this request.
        
            - name: last_auth_requested
              type: keyword
              description: |
                present if base/protocols/ftp/gridftp.bro is loaded.
                Last authentication/security mechanism that was used.
        - name: http
          type: group
          description: >
            Fields exported by the Zeek HTTP log
          fields:
            - name: trans_depth
              type: integer
              description: >
                Represents the pipelined depth into the connection of this request/response transaction.
        
            - name: status_msg
              type: keyword
              description: >
                Status message returned by the server.
        
            - name: info_code
              type: integer
              description: >
                Last seen 1xx informational reply code returned by the server.
        
            - name: info_msg
              type: keyword
              description: >
                Last seen 1xx informational reply message returned by the server.
        
            - name: tags
              type: keyword
              description: |
                A set of indicators of various attributes discovered and related to a particular
                request/response pair.
        
            - name: password
              type: keyword
              description: >
                Password if basic-auth is performed for the request.
        
            - name: captured_password
              type: boolean
              description: >
                Determines if the password will be captured for this request.
        
            - name: proxied
              type: keyword
              description: >
                All of the headers that may indicate if the HTTP request was proxied.
        
            - name: range_request
              type: boolean
              description: >
                Indicates if this request can assume 206 partial content in response.
        
            - name: client_header_names
              type: keyword
              description: |
                The vector of HTTP header names sent by the client. No header values
                are included here, just the header names.
        
            - name: server_header_names
              type: keyword
              description: |
                The vector of HTTP header names sent by the server. No header values
                are included here, just the header names.
        
            - name: orig_fuids
              type: keyword
              description: >
                An ordered vector of file unique IDs from the originator.
        
            - name: orig_mime_types
              type: keyword
              description: >
                An ordered vector of mime types from the originator.
        
            - name: orig_filenames
              type: keyword
              description: >
                An ordered vector of filenames from the originator.
        
            - name: resp_fuids
              type: keyword
              description: >
                An ordered vector of file unique IDs from the responder.
        
            - name: resp_mime_types
              type: keyword
              description: >
                An ordered vector of mime types from the responder.
        
            - name: resp_filenames
              type: keyword
              description: >
                An ordered vector of filenames from the responder.
        
            - name: orig_mime_depth
              type: integer
              description: >
                Current number of MIME entities in the HTTP request message body.
        
            - name: resp_mime_depth
              type: integer
              description: >
                Current number of MIME entities in the HTTP response message body.
        - name: intel
          type: group
          description: >
            Fields exported by the Zeek Intel log.
          fields:
        
            - name: seen
              type: group
              fields:
                - name: indicator
                  type: keyword
                  description: >
                    The intelligence indicator.
        
                - name: indicator_type
                  type: keyword
                  description: >
                    The type of data the indicator represents.
        
                - name: host
                  type: keyword
                  description: >
                    If the indicator type was Intel::ADDR, then this field will be present.
        
                - name: conn
                  type: keyword
                  description: >
                    If the data was discovered within a connection, the connection record should go here to give context to the data.
        
                - name: where
                  type: keyword
                  description: >
                    Where the data was discovered.
        
                - name: node
                  type: keyword
                  description: >
                    The name of the node where the match was discovered.
        
                - name: uid
                  type: keyword
                  description: >
                    If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.
        
                - name: f
                  type: object
                  description: >
                    If the data was discovered within a file, the file record should go here to provide context to the data.
        
                - name: fuid
                  type: keyword
                  description: >
                    If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.
        
        
            - name: matched
              type: keyword
              description: >
                Event to represent a match in the intelligence data from data that was seen.
        
            - name: sources
              type: keyword
              description: >
                Sources which supplied data for this match.
        
            - name: fuid
              type: keyword
              description: >
                If a file was associated with this intelligence hit, this is the uid for the file.
        
            - name: file_mime_type
              type: keyword
              description: >
                A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.
        
            - name: file_desc
              type: keyword
              description: >
                Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out.
        - name: irc
          type: group
          description: >
            Fields exported by the Zeek IRC log
          fields:
            - name: nick
              type: keyword
              description: |
                Nickname given for the connection.
        
            - name: user
              type: keyword
              description: |
                Username given for the connection.
        
            - name: command
              type: keyword
              description: |
                Command given by the client.
        
            - name: value
              type: keyword
              description: |
                Value for the command given by the client.
        
            - name: addl
              type: keyword
              description: |
                Any additional data for the command.
        
            - name: dcc
              type: group
              fields:
                - name: file
                  type: group
                  fields:
                    - name: name
                      type: keyword
                      description: |
                        Present if base/protocols/irc/dcc-send.bro is loaded.
                        DCC filename requested.
        
                    - name: size
                      type: long
                      description: |
                        Present if base/protocols/irc/dcc-send.bro is loaded.
                        Size of the DCC transfer as indicated by the sender.
        
                - name: mime_type
                  type: keyword
                  description: |
                    present if base/protocols/irc/dcc-send.bro is loaded.
                    Sniffed mime type of the file.
        
            - name: fuid
              type: keyword
              description: |
                present if base/protocols/irc/files.bro is loaded.
                File unique ID.
        - name: kerberos
          type: group
          description: >
            Fields exported by the Zeek Kerberos log
          fields:
            - name: request_type
              type: keyword
              description: >
                Request type - Authentication Service (AS) or Ticket Granting Service (TGS).
        
            - name: client
              type: keyword
              description: >
                Client name.
        
            - name: service
              type: keyword
              description: >
                Service name.
        
            - name: success
              type: boolean
              description: >
                Request result.
        
            - name: error
              type: group
              fields:
                - name: code
                  type: integer
                  description: >
                    Error code.
        
                - name: msg
                  type: keyword
                  description: >
                    Error message.
        
            - name: valid
              type: group
              fields:
                - name: from
                  type: date
                  description: >
                    Ticket valid from.
        
                - name: until
                  type: date
                  description: >
                    Ticket valid until.
        
                - name: days
                  type: integer
                  description: >
                    Number of days the ticket is valid for.
        
            - name: cipher
              type: keyword
              description: >
                Ticket encryption type.
        
            - name: forwardable
              type: boolean
              description: >
                Forwardable ticket requested.
        
            - name: renewable
              type: boolean
              description: >
                Renewable ticket requested.
        
            - name: ticket
              type: group
              fields:
                - name: auth
                  type: keyword
                  description: >
                    Hash of ticket used to authorize request/transaction.
        
                - name: new
                  type: keyword
                  description: >
                    Hash of ticket returned by the KDC.
        
            - name: cert
              type: group
              fields:
                - name: client
                  type: group
                  fields:
                    - name: value
                      type: keyword
                      description: >
                        Client certificate.
        
                    - name: fuid
                      type: keyword
                      description: >
                        File unique ID of client cert.
        
                    - name: subject
                      type: keyword
                      description: >
                        Subject of client certificate.
        
                - name: server
                  type: group
                  fields:
                    - name: value
                      type: keyword
                      description: >
                        Server certificate.
        
                    - name: fuid
                      type: keyword
                      description: >
                        File unique ID of server certificate.
        
                    - name: subject
                      type: keyword
                      description: >
                        Subject of server certificate.
        - name: modbus
          type: group
          description: >
            Fields exported by the Zeek modbus log.
          fields:
            - name: function
              type: keyword
              description: |
                The name of the function message that was sent.
        
            - name: exception
              type: keyword
              description: |
                The exception if the response was a failure.
        
            - name: track_address
              type: integer
              description: |
                Present if policy/protocols/modbus/track-memmap.bro is loaded.
                Modbus track address.
        - name: mysql
          type: group
          description: >
            Fields exported by the Zeek MySQL log.
          fields:
            - name: cmd
              type: keyword
              description: |
                The command that was issued.
        
            - name: arg
              type: keyword
              description: |
                The argument issued to the command.
        
            - name: success
              type: boolean
              description: |
                Whether the command succeeded.
        
            - name: rows
              type: integer
              description: |
                The number of affected rows, if any.
        
            - name: response
              type: keyword
              description: |
                Server message, if any.
        - name: notice
          type: group
          description: >
            Fields exported by the Zeek Notice log.
          fields:
            - name: connection_id
              type: keyword
              description: >
                Identifier of the related connection session.
        
            - name: icmp_id
              type: keyword
              description: >
                Identifier of the related ICMP session.
        
            - name: file.id
              type: keyword
              description: >
                An identifier associated with a single file that is related to this notice.
        
            - name: file.parent_id
              type: keyword
              description: >
                Identifier associated with a container file from which this one was extracted.
        
            - name: file.source
              type: keyword
              description: |
                An identification of the source of the file data. E.g. it may be a network protocol
                over which it was transferred, or a local file path which was read, or some other
                input source.
        
            - name: file.mime_type
              type: keyword
              description: >
                A mime type if the notice is related to a file.
        
            - name: file.is_orig
              type: boolean
              description: |
                If the source of this file is a network connection, this field indicates if the file is
                being sent by the originator of the connection or the responder.
        
            - name: file.seen_bytes
              type: long
              description: >
                Number of bytes provided to the file analysis engine for the file.
        
            - name: ffile.total_bytes
              type: long
              description: >
                Total number of bytes that are supposed to comprise the full file.
        
            - name: file.missing_bytes
              type: long
              description: |
                The number of bytes in the file stream that were completely missed during the process
                of analysis.
        
            - name: file.overflow_bytes
              type: long
              description: |
                The number of bytes in the file stream that were not delivered to stream file analyzers.
                This could be overlapping bytes or bytes that couldn't be reassembled.
        
            - name: fuid
              type: keyword
              description: >
                A file unique ID if this notice is related to a file.
        
            - name: note
              type: keyword
              description: >
                The type of the notice.
        
            - name: msg
              type: keyword
              description: >
                The human readable message for the notice.
        
            - name: sub
              type: keyword
              description: >
                The human readable sub-message.
        
            - name: n
              type: long
              description: >
                Associated count, or a status code.
        
            - name: peer_name
              type: keyword
              description: >
                Name of remote peer that raised this notice.
        
            - name: peer_descr
              type: text
              description: >
                Textual description for the peer that raised this notice.
        
            - name: actions
              type: keyword
              description: >
                The actions which have been applied to this notice.
        
            - name: email_body_sections
              type: text
              description: |
                By adding chunks of text into this element, other scripts can expand on notices
                that are being emailed.
        
            - name: email_delay_tokens
              type: keyword
              description: |
                Adding a string token to this set will cause the built-in emailing functionality
                to delay sending the email either the token has been removed or the email
                has been delayed for the specified time duration.
        
            - name: identifier
              type: keyword
              description: >
                This field is provided when a notice is generated for the purpose of deduplicating notices.
        
            - name: suppress_for
              type: double
              description: >
                This field indicates the length of time that this unique notice should be suppressed.
        
            - name: dropped
              type: boolean
              description: >
                Indicate if the source IP address was dropped and denied network access.
        
        - name: ntlm
          type: group
          description: >
            Fields exported by the Zeek NTLM log.
          fields:
            - name: domain
              type: keyword
              description: >
                Domain name given by the client.
        
            - name: hostname
              type: keyword
              description: >
                Hostname given by the client.
        
            - name: success
              type: boolean
              description: >
                Indicate whether or not the authentication was successful.
        
            - name: username
              type: keyword
              description: >
                Username given by the client.
        
            - name: server
              type: group
              fields:
                - name: name
                  type: group
                  fields:
                    - name: dns
                      type: keyword
                      description: >
                        DNS name given by the server in a CHALLENGE.
        
                    - name: netbios
                      type: keyword
                      description: >
                        NetBIOS name given by the server in a CHALLENGE.
        
                    - name: tree
                      type: keyword
                      description: >
                        Tree name given by the server in a CHALLENGE.
        - name: ntp
          type: group
          description: >
            Fields exported by the Zeek NTP log.
          fields:
            - name: version
              type: integer
              description: >
                The NTP version number (1, 2, 3, 4).
            - name: mode
              type: integer
              description: >
                The NTP mode being used.
            - name: stratum
              type: integer
              description: >
                The stratum (primary server, secondary server, etc.).
            - name: poll
              type: double
              description: >
                The maximum interval between successive messages in seconds.
            - name: precision
              type: double
              description: >
                The precision of the system clock in seconds.
            - name: root_delay
              type: double
              description: >
                Total round-trip delay to the reference clock in seconds.
            - name: root_disp
              type: double
              description: >
                Total dispersion to the reference clock in seconds.
            - name: ref_id
              type: keyword
              description: >
                For stratum 0, 4 character string used for debugging.
                For stratum 1, ID assigned to the reference clock by IANA.
                Above stratum 1, when using IPv4, the IP address of the reference clock.
                Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses,
                so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address
                (i.e. an IPv4 address here is not necessarily IPv4).
            - name: ref_time
              type: date
              description: >
                Time when the system clock was last set or correct.
            - name: org_time
              type: date
              description: >
                Time at the client when the request departed for the NTP server.
            - name: rec_time
              type: date
              description: >
                Time at the server when the request arrived from the NTP client.
            - name: xmt_time
              type: date
              description: >
                Time at the server when the response departed for the NTP client.
            - name: num_exts
              type: integer
              description: >
                Number of extension fields (which are not currently parsed).
        - name: ocsp
          type: group
          description: |
            Fields exported by the Zeek OCSP log
            Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.
          fields:
            - name: file_id
              type: keyword
              description: |
                File id of the OCSP reply.
            - name: hash
              type: group
              fields:
                - name: algorithm
                  type: keyword
                  description: |
                    Hash algorithm used to generate issuerNameHash and issuerKeyHash.
        
                - name: issuer
                  type: group
                  fields:
                    - name: name
                      type: keyword
                      description: |
                        Hash of the issuer's distingueshed name.
        
                    - name: key
                      type: keyword
                      description: |
                        Hash of the issuer's public key.
        
            - name: serial_number
              type: keyword
              description: |
                Serial number of the affected certificate.
        
            - name: status
              type: keyword
              description: |
                Status of the affected certificate.
        
            - name: revoke
              type: group
              fields:
                - name: time
                  type: date
                  description: |
                    Time at which the certificate was revoked.
        
                - name: reason
                  type: keyword
                  description: |
                    Reason for which the certificate was revoked.
        
            - name: update
              type: group
              fields:
                - name: this
                  type: date
                  description: |
                    The time at which the status being shows is known to have been correct.
        
                - name: next
                  type: date
                  description: |
                    The latest time at which new information about the status of the certificate will be available.
        
        - name: pe
          type: group
          description: >
            Fields exported by the Zeek pe log.
          fields:
            - name: client
              type: keyword
              description: >
                The client's version string.
        
            - name: id
              type: keyword
              description: >
                File id of this portable executable file.
        
            - name: machine
              type: keyword
              description: >
                The target machine that the file was compiled for.
        
            - name: compile_time
              type: date
              description: >
                The time that the file was created at.
        
            - name: os
              type: keyword
              description: >
                The required operating system.
        
            - name: subsystem
              type: keyword
              description: >
                The subsystem that is required to run this file.
        
            - name: is_exe
              type: boolean
              description: >
                Is the file an executable, or just an object file?
        
            - name: is_64bit
              type: boolean
              description: >
                Is the file a 64-bit executable?
        
            - name: uses_aslr
              type: boolean
              description: >
                Does the file support Address Space Layout Randomization?
        
            - name: uses_dep
              type: boolean
              description: >
                Does the file support Data Execution Prevention?
        
            - name: uses_code_integrity
              type: boolean
              description: >
                Does the file enforce code integrity checks?
        
            - name: uses_seh
              type: boolean
              description: >
                Does the file use structured exception handing?
        
            - name: has_import_table
              type: boolean
              description: >
                Does the file have an import table?
        
            - name: has_export_table
              type: boolean
              description: >
                Does the file have an export table?
        
            - name: has_cert_table
              type: boolean
              description: >
                Does the file have an attribute certificate table?
        
            - name: has_debug_data
              type: boolean
              description: >
                Does the file have a debug table?
        
            - name: section_names
              type: keyword
              description: >
                The names of the sections, in order.
        
        - name: radius
          type: group
          description: >
            Fields exported by the Zeek Radius log.
          fields:
            - name: username
              type: keyword
              description: |
                The username, if present.
        
            - name: mac
              type: keyword
              description: |
                MAC address, if present.
        
            - name: framed_addr
              type: ip
              description: |
                The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
        
            - name: remote_ip
              type: ip
              description: |
                Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.
        
            - name: connect_info
              type: keyword
              description: |
                Connect info, if present.
        
            - name: reply_msg
              type: keyword
              description: |
                Reply message from the server challenge. This is frequently shown to the user authenticating.
        
            - name: result
              type: keyword
              description: |
                Successful or failed authentication.
        
            - name: ttl
              type: integer
              description: |
                The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen.
        
            - name: logged
              type: boolean
              description: |
                Whether this has already been logged and can be ignored.
        - name: rdp
          type: group
          description: >
            Fields exported by the Zeek RDP log.
          fields:
            - name: cookie
              type: keyword
              description: |
                Cookie value used by the client machine. This is typically a username.
        
            - name: result
              type: keyword
              description: |
                Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages.
        
            - name: security_protocol
              type: keyword
              description: |
                Security protocol chosen by the server.
        
            - name: keyboard_layout
              type: keyword
              description: |
                Keyboard layout (language) of the client machine.
        
            - name: client
              type: group
              fields:
                - name: build
                  type: keyword
                  description: |
                    RDP client version used by the client machine.
        
                - name: client_name
                  type: keyword
                  description: |
                    Name of the client machine.
        
                - name: product_id
                  type: keyword
                  description: |
                    Product ID of the client machine.
        
            - name: desktop
              type: group
              fields:
                - name: width
                  type: integer
                  description: |
                    Desktop width of the client machine.
        
                - name: height
                  type: integer
                  description: |
                    Desktop height of the client machine.
        
                - name: color_depth
                  type: keyword
                  description: |
                    The color depth requested by the client in the high_color_depth field.
        
            - name: cert
              type: group
              fields:
                - name: type
                  type: keyword
                  description: |
                    If the connection is being encrypted with native RDP encryption, this is the type of cert being used.
        
                - name: count
                  type: integer
                  description: |
                    The number of certs seen. X.509 can transfer an entire certificate chain.
        
                - name: permanent
                  type: boolean
                  description: |
                    Indicates if the provided certificate or certificate chain is permanent or temporary.
        
            - name: encryption
              type: group
              fields:
                - name: level
                  type: keyword
                  description: |
                    Encryption level of the connection.
        
                - name: method
                  type: keyword
                  description: |
                    Encryption method of the connection.
        
            - name: done
              type: boolean
              description: |
                Track status of logging RDP connections.
        
            - name: ssl
              type: boolean
              description: |
                (present if policy/protocols/rdp/indicate_ssl.bro is loaded)
                Flag the connection if it was seen over SSL.
        - name: rfb
          type: group
          description: >
            Fields exported by the Zeek RFB log.
          fields:
            - name: version
              type: group
              fields:
                - name: client
                  type: group
                  fields:
                    - name: major
                      type: keyword
                      description: |
                        Major version of the client.
        
                    - name: minor
                      type: keyword
                      description: |
                        Minor version of the client.
        
                - name: server
                  type: group
                  fields:
                    - name: major
                      type: keyword
                      description: |
                        Major version of the server.
        
                    - name: minor
                      type: keyword
                      description: |
                        Minor version of the server.
        
            - name: auth
              type: group
              fields:
                - name: success
                  type: boolean
                  description: |
                    Whether or not authentication was successful.
        
                - name: method
                  type: keyword
                  description: |
                    Identifier of authentication method used.
        
            - name: share_flag
              type: boolean
              description: |
                Whether the client has an exclusive or a shared session.
        
            - name: desktop_name
              type: keyword
              description: |
                Name of the screen that is being shared.
        
            - name: width
              type: integer
              description: |
                Width of the screen that is being shared.
        
            - name: height
              type: integer
              description: |
                Height of the screen that is being shared.
        - name: signature
          type: group
          description: >
            Fields exported by the Zeek Signature log.
          fields:
            - name: note
              type: keyword
              description: >
                Notice associated with signature event.
        
            - name: sig_id
              type: keyword
              description: >
                The name of the signature that matched.
        
            - name: event_msg
              type: keyword
              description: >
                A more descriptive message of the signature-matching event.
        
            - name: sub_msg
              type: keyword
              description: >
                Extracted payload data or extra message.
        
            - name: sig_count
              type: integer
              description: >
                Number of sigs, usually from summary count.
        
            - name: host_count
              type: integer
              description: >
                Number of hosts, from a summary count.
        - name: sip
          type: group
          description: >
            Fields exported by the Zeek SIP log.
          fields:
            - name: transaction_depth
              type: integer
              description: >
                Represents the pipelined depth into the connection of this request/response transaction.
        
            - name: sequence
              type: group
              fields:
                - name: method
                  type: keyword
                  description: >
                    Verb used in the SIP request (INVITE, REGISTER etc.).
        
                - name: number
                  type: keyword
                  description: >
                    Contents of the CSeq: header from the client.
        
            - name: uri
              type: keyword
              description: >
                URI used in the request.
        
            - name: date
              type: keyword
              description: >
                Contents of the Date: header from the client.
        
            - name: request
              type: group
              fields:
                - name: from
                  type: keyword
                  description: >
                    Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.
        
                - name: to
                  type: keyword
                  description: >
                    Contents of the To: header.
        
                - name: path
                  type: keyword
                  description: >
                    The client message transmission path, as extracted from the headers.
        
                - name: body_length
                  type: long
                  description: >
                    Contents of the Content-Length: header from the client.
        
            - name: response
              type: group
              fields:
                - name: from
                  type: keyword
                  description: >
                    Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged.
        
                - name: to
                  type: keyword
                  description: >
                    Contents of the response To: header.
        
                - name: path
                  type: keyword
                  description: >
                    The server message transmission path, as extracted from the headers.
        
                - name: body_length
                  type: long
                  description: >
                    Contents of the Content-Length: header from the server.
        
            - name: reply_to
              type: keyword
              description: >
                Contents of the Reply-To: header.
        
            - name: call_id
              type: keyword
              description: >
                Contents of the Call-ID: header from the client.
        
            - name: subject
              type: keyword
              description: >
                Contents of the Subject: header from the client.
        
            - name: user_agent
              type: keyword
              description: >
                Contents of the User-Agent: header from the client.
        
            - name: status
              type: group
              fields:
                - name: code
                  type: integer
                  description: >
                    Status code returned by the server.
        
                - name: msg
                  type: keyword
                  description: >
                    Status message returned by the server.
        
            - name: warning
              type: keyword
              description: >
                Contents of the Warning: header.
        
            - name: content_type
              type: keyword
              description: >
                Contents of the Content-Type: header from the server.
        - name: smb_cmd
          type: group
          description: >
            Fields exported by the Zeek smb_cmd log.
          fields:
            - name: command
              type: keyword
              description: |
                The command sent by the client.
        
            - name: sub_command
              type: keyword
              description: |
                The subcommand sent by the client, if present.
        
            - name: argument
              type: keyword
              description: |
                Command argument sent by the client, if any.
        
            - name: status
              type: keyword
              description: |
                Server reply to the client's command.
        
            - name: rtt
              type: double
              description: |
                Round trip time from the request to the response.
        
            - name: version
              type: keyword
              description: |
                Version of SMB for the command.
        
            - name: username
              type: keyword
              description: |
                Authenticated username, if available.
        
            - name: tree
              type: keyword
              description: |
                If this is related to a tree, this is the tree that was used for the current command.
        
            - name: tree_service
              type: keyword
              description: |
                The type of tree (disk share, printer share, named pipe, etc.).
        
            - name: file
              type: group
              description: |
                If the command referenced a file, store it here.
              fields:
                - name: name
                  type: keyword
                  description: |
                    Filename if one was seen.
        
                - name: action
                  type: keyword
                  description: |
                    Action this log record represents.
        
                - name: uid
                  type: keyword
                  description: |
                    UID of the referenced file.
        
                - name: host
                  type: group
                  fields:
                    - name: tx
                      type: ip
                      description: |
                        Address of the transmitting host.
        
                    - name: rx
                      type: ip
                      description: |
                        Address of the receiving host.
        
            - name: smb1_offered_dialects
              type: keyword
              description: |
                Present if base/protocols/smb/smb1-main.bro is loaded.
                Dialects offered by the client.
        
            - name: smb2_offered_dialects
              type:  integer
              description: |
                Present if base/protocols/smb/smb2-main.bro is loaded.
                Dialects offered by the client.
        - name: smb_files
          type: group
          description: >
            Fields exported by the Zeek SMB Files log.
          fields:
            - name: action
              type: keyword
              description: >
                Action this log record represents.
        
            - name: fid
              type: integer
              description: >
                ID referencing this file.
        
            - name: name
              type: keyword
              description: >
                Filename if one was seen.
        
            - name: path
              type: keyword
              description: >
                Path pulled from the tree this file was transferred to or from.
        
            - name: previous_name
              type: keyword
              description: >
                If the rename action was seen, this will be the file's previous name.
        
            - name: size
              type: long
              description: >
                Byte size of the file.
        
            - name: times
              type: group
              description: >
                Timestamps of the file.
              fields:
                - name: accessed
                  type: date
                  description: >
                    The file's access time.
        
                - name: changed
                  type: date
                  description: >
                    The file's change time.
        
                - name: created
                  type: date
                  description: >
                    The file's create time.
        
                - name: modified
                  type: date
                  description: >
                    The file's modify time.
        
            - name: uuid
              type: keyword
              description: >
                UUID referencing this file if DCE/RPC.
        - name: smb_mapping
          type: group
          description: >
            Fields exported by the Zeek SMB_Mapping log.
          fields:
            - name: path
              type: keyword
              description: >
                Name of the tree path.
        
            - name: service
              type: keyword
              description: >
                The type of resource of the tree (disk share, printer share, named pipe, etc.).
        
            - name: native_file_system
              type: keyword
              description: >
                File system of the tree.
        
            - name: share_type
              type: keyword
              description: |
                If this is SMB2, a share type will be included. For SMB1, the type of share
                will be deduced and included as well.
        - name: smtp
          type: group
          description: >
            Fields exported by the Zeek SMTP log.
          fields:
            - name: transaction_depth
              type: integer
              description: >
                A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.
        
            - name: helo
              type: keyword
              description: >
                Contents of the Helo header.
        
            - name: mail_from
              type: keyword
              description: >
                Email addresses found in the MAIL FROM header.
        
            - name: rcpt_to
              type: keyword
              description: >
                Email addresses found in the RCPT TO header.
        
            - name: date
              type: date
              description: >
                Contents of the Date header.
        
            - name: from
              type: keyword
              description: >
                Contents of the From header.
        
            - name: to
              type: keyword
              description: >
                Contents of the To header.
        
            - name: cc
              type: keyword
              description: >
                Contents of the CC header.
        
            - name: reply_to
              type: keyword
              description: >
                Contents of the ReplyTo header.
        
            - name: msg_id
              type: keyword
              description: >
                Contents of the MsgID header.
        
            - name: in_reply_to
              type: keyword
              description: >
                Contents of the In-Reply-To header.
        
            - name: subject
              type: keyword
              description: >
                Contents of the Subject header.
        
            - name: x_originating_ip
              type: keyword
              description: >
                Contents of the X-Originating-IP header.
        
            - name: first_received
              type: keyword
              description: |
                Contents of the first Received header.
        
            - name: second_received
              type: keyword
              description: |
                Contents of the second Received header.
        
            - name: last_reply
              type: keyword
              description: |
                The last message that the server sent to the client.
        
            - name: path
              type: ip
              description: |
                The message transmission path, as extracted from the headers.
        
            - name: user_agent
              type: keyword
              description: |
                Value of the User-Agent header from the client.
        
            - name: tls
              type: boolean
              description: |
                Indicates that the connection has switched to using TLS.
        
            - name: process_received_from
              type: boolean
              description: |
                Indicates if the "Received: from" headers should still be processed.
        
            - name: has_client_activity
              type: boolean
              description: |
                Indicates if client activity has been seen, but not yet logged.
        
            - name: fuids
              type: keyword
              description: |
                (present if base/protocols/smtp/files.bro is loaded)
                An ordered vector of file unique IDs seen attached to the message.
        
            - name: is_webmail
              type: boolean
              description: |
                Indicates if the message was sent through a webmail interface.
        - name: snmp
          type: group
          description: >
            Fields exported by the Zeek SNMP log.
          fields:
            - name: duration
              type: double
              description: >
                The amount of time between the first packet beloning to the SNMP session and the latest one seen.
        
            - name: version
              type: keyword
              description: >
                The version of SNMP being used.
        
            - name: community
              type: keyword
              description: >
                The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.
        
            - name: get
              type: group
              fields:
                - name: requests
                  type: integer
                  description: >
                    The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.
        
                - name: bulk_requests
                  type: integer
                  description: >
                    The number of variable bindings in GetBulkRequest PDUs seen for the session.
        
                - name: responses
                  type: integer
                  description: >
                    The number of variable bindings in GetResponse/Response PDUs seen for the session.
        
            - name: set
              type: group
              fields:
                - name: requests
                  type: integer
                  description: >
                    The number of variable bindings in SetRequest PDUs seen for the session.
        
            - name: display_string
              type: keyword
              description: >
                A system description of the SNMP responder endpoint.
        
            - name: up_since
              type: date
              description: >
                The time at which the SNMP responder endpoint claims it's been up since.
        - name: socks
          type: group
          description: >
            Fields exported by the Zeek SOCKS log.
          fields:
            - name: version
              type: integer
              description: |
                Protocol version of SOCKS.
        
            - name: user
              type: keyword
              description: |
                Username used to request a login to the proxy.
        
            - name: password
              type: keyword
              description: |
                Password used to request a login to the proxy.
        
            - name: status
              type: keyword
              description: |
                Server status for the attempt at using the proxy.
        
            - name: request
              type: group
              fields:
                - name: host
                  type: keyword
                  description: |
                    Client requested SOCKS address. Could be an address, a name or both.
        
                - name: port
                  type: integer
                  description: |
                    Client requested port.
        
            - name: bound
              type: group
              fields:
                - name: host
                  type: keyword
                  description: |
                    Server bound address. Could be an address, a name or both.
        
                - name: port
                  type: integer
                  description: |
                    Server bound port.
        
            - name: capture_password
              type: boolean
              description: |
                Determines if the password will be captured for this request.
        - name: ssh
          type: group
          description: >
            Fields exported by the Zeek SSH log.
          fields:
            - name: client
              type: keyword
              description: >
                The client's version string.
        
            - name: direction
              type: keyword
              description: |
                Direction of the connection. If the client was a local host logging into
                an external host, this would be OUTBOUND. INBOUND would be set for the
                opposite situation.
        
            - name: host_key
              type: keyword
              description: >
                The server's key thumbprint.
        
            - name: server
              type: keyword
              description: >
                The server's version string.
        
            - name: version
              type: integer
              description: >
                SSH major version (1 or 2).
        
            - name: algorithm
              type: group
              description: >
                Cipher algorithms used in this session.
              fields:
                - name: cipher
                  type: keyword
                  description: >
                    The encryption algorithm in use.
        
                - name: compression
                  type: keyword
                  description: >
                    The compression algorithm in use.
        
                - name: host_key
                  type: keyword
                  description: >
                    The server host key's algorithm.
        
                - name: key_exchange
                  type: keyword
                  description: >
                    The key exchange algorithm in use.
        
                - name: mac
                  type: keyword
                  description: >
                    The signing (MAC) algorithm in use.
        
            - name: auth
              type: group
              fields:
                - name: attempts
                  type: integer
                  description: |
                    The number of authentication attemps we observed. There's always at
                    least one, since some servers might support no authentication at all.
                    It's important to note that not all of these are failures, since some
                    servers require two-factor auth (e.g. password AND pubkey).
        
                - name: success
                  type: boolean
                  description: >
                    Authentication result.
        - name: ssl
          type: group
          description: >
            Fields exported by the Zeek SSL log.
          fields:
            - name: version
              type: keyword
              description: >
                SSL/TLS version that was logged.
        
            - name: cipher
              type: keyword
              description: >
                SSL/TLS cipher suite that was logged.
        
            - name: curve
              type: keyword
              description: >
                Elliptic curve that was logged when using ECDH/ECDHE.
        
            - name: resumed
              type: boolean
              description: |
                Flag to indicate if the session was resumed reusing the key material exchanged in an
                earlier connection.
        
            - name: next_protocol
              type: keyword
              description: >
                Next protocol the server chose using the application layer next protocol extension.
        
            - name: established
              type: boolean
              description: >
                Flag to indicate if this ssl session has been established successfully.
        
            - name: validation
              type: group
              fields:
                - name: status
                  type: keyword
                  description: >
                    Result of certificate validation for this connection.
        
                - name: code
                  type: keyword
                  description: >
                    Result of certificate validation for this connection, given as OpenSSL validation code.
        
            - name: last_alert
              type: keyword
              description: >
                Last alert that was seen during the connection.
        
            - name: server
              type: group
              fields:
                - name: name
                  type: keyword
                  description: |
                    Value of the Server Name Indicator SSL/TLS extension. It indicates the server name
                    that the client was requesting.
        
                - name: cert_chain
                  type: keyword
                  description: >
                    Chain of certificates offered by the server to validate its complete signing chain.
        
                - name: cert_chain_fuids
                  type: keyword
                  description: >
                    An ordered vector of certificate file identifiers for the certificates offered by the server.
        
                - name: issuer
                  type: group
                  description: >
                    Subject of the signer of the X.509 certificate offered by the server.
                  fields:
                    - name: common_name
                      type: keyword
                      description: >
                        Common name of the signer of the X.509 certificate offered by the server.
        
                    - name: country
                      type: keyword
                      description: >
                        Country code of the signer of the X.509 certificate offered by the server.
        
                    - name: locality
                      type: keyword
                      description: >
                        Locality of the signer of the X.509 certificate offered by the server.
        
                    - name: organization
                      type: keyword
                      description: >
                        Organization of the signer of the X.509 certificate offered by the server.
        
                    - name: organizational_unit
                      type: keyword
                      description: >
                        Organizational unit of the signer of the X.509 certificate offered by the server.
        
                    - name: state
                      type: keyword
                      description: >
                        State or province name of the signer of the X.509 certificate offered by the server.
        
                - name: subject
                  type: group
                  description: >
                    Subject of the X.509 certificate offered by the server.
                  fields:
                    - name: common_name
                      type: keyword
                      description: >
                        Common name of the X.509 certificate offered by the server.
        
                    - name: country
                      type: keyword
                      description: >
                        Country code of the X.509 certificate offered by the server.
        
                    - name: locality
                      type: keyword
                      description: >
                        Locality of the X.509 certificate offered by the server.
        
                    - name: organization
                      type: keyword
                      description: >
                        Organization of the X.509 certificate offered by the server.
        
                    - name: organizational_unit
                      type: keyword
                      description: >
                        Organizational unit of the X.509 certificate offered by the server.
        
                    - name: state
                      type: keyword
                      description: >
                        State or province name of the X.509 certificate offered by the server.
        
            - name: client
              type: group
              fields:
                - name: cert_chain
                  type: keyword
                  description: >
                    Chain of certificates offered by the client to validate its complete signing chain.
        
                - name: cert_chain_fuids
                  type: keyword
                  description: >
                    An ordered vector of certificate file identifiers for the certificates offered by the client.
        
                - name: issuer
                  type: group
                  description: >
                    Subject of the signer of the X.509 certificate offered by the client.
                  fields:
                    - name: common_name
                      type: keyword
                      description: >
                        Common name of the signer of the X.509 certificate offered by the client.
        
                    - name: country
                      type: keyword
                      description: >
                        Country code of the signer of the X.509 certificate offered by the client.
        
                    - name: locality
                      type: keyword
                      description: >
                        Locality of the signer of the X.509 certificate offered by the client.
        
                    - name: organization
                      type: keyword
                      description: >
                        Organization of the signer of the X.509 certificate offered by the client.
        
                    - name: organizational_unit
                      type: keyword
                      description: >
                        Organizational unit of the signer of the X.509 certificate offered by the client.
        
                    - name: state
                      type: keyword
                      description: >
                        State or province name of the signer of the X.509 certificate offered by the client.
        
                - name: subject
                  type: group
                  description: >
                    Subject of the X.509 certificate offered by the client.
                  fields:
                    - name: common_name
                      type: keyword
                      description: >
                        Common name of the X.509 certificate offered by the client.
        
                    - name: country
                      type: keyword
                      description: >
                        Country code of the X.509 certificate offered by the client.
        
                    - name: locality
                      type: keyword
                      description: >
                        Locality of the X.509 certificate offered by the client.
        
                    - name: organization
                      type: keyword
                      description: >
                        Organization of the X.509 certificate offered by the client.
        
                    - name: organizational_unit
                      type: keyword
                      description: >
                        Organizational unit of the X.509 certificate offered by the client.
        
                    - name: state
                      type: keyword
                      description: >
                        State or province name of the X.509 certificate offered by the client.
        - name: stats
          type: group
          description: >
            Fields exported by the Zeek stats log.
          fields:
            - name: peer
              type: keyword
              description: |
                Peer that generated this log. Mostly for clusters.
        
            - name: memory
              type: integer
              description: |
                Amount of memory currently in use in MB.
        
            - name: packets
              type: group
              fields:
                - name: processed
                  type: long
                  description: |
                    Number of packets processed since the last stats interval.
        
                - name: dropped
                  type: long
                  description: |
                    Number of packets dropped since the last stats interval if reading live traffic.
        
                - name: received
                  type: long
                  description: |
                    Number of packets seen on the link since the last stats interval if reading live traffic.
        
            - name: bytes
              type: group
              fields:
                - name: received
                  type: long
                  description: |
                    Number of bytes received since the last stats interval if reading live traffic.
        
            - name: connections
              type: group
              fields:
                - name: tcp
                  type: group
                  fields:
                    - name: active
                      type: integer
                      description: |
                        TCP connections currently in memory.
        
                    - name: count
                      type: integer
                      description: |
                        TCP connections seen since last stats interval.
        
                - name: udp
                  type: group
                  fields:
                    - name: active
                      type: integer
                      description: |
                        UDP connections currently in memory.
        
                    - name: count
                      type: integer
                      description: |
                        UDP connections seen since last stats interval.
        
                - name: icmp
                  type: group
                  fields:
                    - name: active
                      type: integer
                      description: |
                        ICMP connections currently in memory.
        
                    - name: count
                      type: integer
                      description: |
                        ICMP connections seen since last stats interval.
        
            - name: events
              type: group
              fields:
                - name: processed
                  type: integer
                  description: |
                    Number of events processed since the last stats interval.
        
                - name: queued
                  type: integer
                  description: |
                    Number of events that have been queued since the last stats interval.
        
            - name: timers
              type: group
              fields:
                - name: count
                  type: integer
                  description: |
                    Number of timers scheduled since last stats interval.
        
                - name: active
                  type: integer
                  description: |
                    Current number of scheduled timers.
        
            - name: files
              type: group
              fields:
                - name: count
                  type: integer
                  description: |
                    Number of files seen since last stats interval.
        
                - name: active
                  type: integer
                  description: |
                    Current number of files actively being seen.
        
            - name: dns_requests
              type: group
              fields:
                - name: count
                  type: integer
                  description: |
                    Number of DNS requests seen since last stats interval.
        
                - name: active
                  type: integer
                  description: |
                    Current number of DNS requests awaiting a reply.
        
            - name: reassembly_size
              type: group
              fields:
                - name: tcp
                  type: integer
                  description: |
                    Current size of TCP data in reassembly.
        
                - name: file
                  type: integer
                  description: |
                    Current size of File data in reassembly.
        
                - name: frag
                  type: integer
                  description: |
                    Current size of packet fragment data in reassembly.
        
                - name: unknown
                  type: integer
                  description: |
                    Current size of unknown data in reassembly (this is only PIA buffer right now).
        
            - name: timestamp_lag
              type: integer
              description: |
                Lag between the wall clock and packet timestamps if reading live traffic.
        - name: syslog
          type: group
          description: >
            Fields exported by the Zeek syslog log.
          fields:
            - name: facility
              type: keyword
              description: >
                Syslog facility for the message.
        
            - name: severity
              type: keyword
              description: >
                Syslog severity for the message.
        
            - name: message
              type: keyword
              description: >
                The plain text message.
        - name: tunnel
          type: group
          description: >
            Fields exported by the Zeek SSH log.
          fields:
            - name: type
              type: keyword
              description: >
                The type of tunnel.
        
            - name: action
              type: keyword
              description: >
                The type of activity that occurred.
        - name: weird
          type: group
          description: >
            Fields exported by the Zeek Weird log.
          fields:
            - name: name
              type: keyword
              description: |
                The name of the weird that occurred.
        
            - name: additional_info
              type: keyword
              description: |
                Additional information accompanying the weird if any.
        
            - name: notice
              type: boolean
              description: |
                Indicate if this weird was also turned into a notice.
        
            - name: peer
              type: keyword
              description: |
                The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.
        
            - name: identifier
              type: keyword
              description: |
                This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird.
        - name: x509
          type: group
          description: >
            Fields exported by the Zeek x509 log.
          fields:
            - name: id
              type: keyword
              description: >
                File id of this certificate.
        
            - name: certificate
              type: group
              description: >
                Basic information about the certificate.
              fields:
                - name: version
                  type: integer
                  description: >
                    Version number.
        
                - name: serial
                  type: keyword
                  description: >
                    Serial number.
        
                - name: subject
                  type: group
                  description: >
                    Subject.
                  fields:
                    - name: country
                      type: keyword
                      description: >
                        Country provided in the certificate subject.
        
                    - name: common_name
                      type: keyword
                      description: >
                        Common name provided in the certificate subject.
        
                    - name: locality
                      type: keyword
                      description: >
                        Locality provided in the certificate subject.
        
                    - name: organization
                      type: keyword
                      description: >
                        Organization provided in the certificate subject.
        
                    - name: organizational_unit
                      type: keyword
                      description: >
                        Organizational unit provided in the certificate subject.
        
                    - name: state
                      type: keyword
                      description: >
                        State or province provided in the certificate subject.
        
                - name: issuer
                  type: group
                  description: >
                    Issuer.
                  fields:
                    - name: country
                      type: keyword
                      description: >
                        Country provided in the certificate issuer field.
        
                    - name: common_name
                      type: keyword
                      description: >
                        Common name provided in the certificate issuer field.
        
                    - name: locality
                      type: keyword
                      description: >
                        Locality provided in the certificate issuer field.
        
                    - name: organization
                      type: keyword
                      description: >
                        Organization provided in the certificate issuer field.
        
                    - name: organizational_unit
                      type: keyword
                      description: >
                        Organizational unit provided in the certificate issuer field.
        
                    - name: state
                      type: keyword
                      description: >
                        State or province provided in the certificate issuer field.
        
                - name: common_name
                  type: keyword
                  description: >
                    Last (most specific) common name.
        
                - name: valid
                  type: group
                  description: >
                    Certificate validity timestamps
                  fields:
                    - name: from
                      type: date
                      description: >
                        Timestamp before when certificate is not valid.
        
                    - name: until
                      type: date
                      description: >
                        Timestamp after when certificate is not valid.
        
                - name: key
                  type: group
                  fields:
                    - name: algorithm
                      type: keyword
                      description: >
                        Name of the key algorithm.
        
                    - name: type
                      type: keyword
                      description: >
                        Key type, if key parseable by openssl (either rsa, dsa or ec).
        
                    - name: length
                      type: integer
                      description: >
                        Key length in bits.
        
                - name: signature_algorithm
                  type: keyword
                  description: >
                    Name of the signature algorithm.
        
                - name: exponent
                  type: keyword
                  description: >
                    Exponent, if RSA-certificate.
        
                - name: curve
                  type: keyword
                  description: >
                    Curve, if EC-certificate.
        
            - name: san
              type: group
              description: >
                Subject alternative name extension of the certificate.
              fields:
                - name: dns
                  type: keyword
                  description: >
                    List of DNS entries in SAN.
        
                - name: uri
                  type: keyword
                  description: >
                    List of URI entries in SAN.
        
                - name: email
                  type: keyword
                  description: >
                    List of email entries in SAN.
        
                - name: ip
                  type: ip
                  description: >
                    List of IP entries in SAN.
        
                - name: other_fields
                  type: boolean
                  description: >
                    True if the certificate contained other, not recognized or parsed name fields.
        
            - name: basic_constraints
              type: group
              description: >
                Basic constraints extension of the certificate.
              fields:
                - name: certificate_authority
                  type: boolean
                  description: >
                    CA flag set or not.
        
                - name: path_length
                  type: integer
                  description: >
                    Maximum path length.
        
            - name: log_cert
              type: boolean
              description: |
                Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded
                Logging of certificate is suppressed if set to F.
- key: zookeeper
  title: "ZooKeeper"
  release: beta
  description: >
    ZooKeeper Module
  fields:
    - name: zookeeper
      type: group
      description: >
      fields:
        - name: audit
          type: group
          description: >
            ZooKeeper Audit logs.
          release: beta
          fields:
            - name: session
              type: keyword
              description: >
                Client session id
            - name: znode
              type: keyword
              description: >
                Path of the znode
            - name: znode_type
              type: keyword
              description: >
                Type of znode in case of creation operation
            - name: acl
              type: keyword
              description: >
                String representation of znode ACL like cdrwa(create, delete,read, write, admin). This is logged only for setAcl operation
            - name: result
              type: keyword
              description: >
                Result of the operation. Possible values are (success/failure/invoked). Result "invoked" is used for serverStop operation because stop is logged before ensuring that server actually stopped.
            - name: user
              type: keyword
              description: >
                Comma separated list of users who are associate with a client session
        - name: log
          type: group
          description: >
            ZooKeeper logs.
          release: beta
          fields:
- key: zoom
  title: Zoom
  description: >
    Module for handling incoming Zoom webhook requests
  fields:
        - name: zoom
          type: group
          release: ga
          description: >
            Module for parsing Zoom API Webhooks.
          fields:
            - name: master_account_id
              type: keyword
              description: >
                Master Account related to a specific Sub Account
            - name: sub_account_id
              type: keyword
              description: >
                Related Sub Account
            - name: operator_id
              type: keyword
              description: >
                UserID that triggered the event
            - name: operator
              type: keyword
              description: >
                Username/Email related to the user that triggered the event
            - name: account_id
              type: keyword
              description: >
                Related accountID to the event
            - name: timestamp
              type: date
              description: >
                Timestamp related to the event
            - name: creation_type
              type: keyword
              description: >
                Creation type
            - name: account.owner_id
              type: keyword
              description: >
                UserID of the user whose sub account was created/disassociated
            - name: account.email
              type: keyword
              description: >
                Email related to the user the action was performed on
            - name: account.owner_email
              type: keyword
              description: >
                Email of the user whose sub account was created/disassociated
            - name: account.account_name
              type: keyword
              description: >
                When an account name is updated, this is the new value set
            - name: account.account_alias
              type: keyword
              description: >
                When an account alias is updated, this is the new value set
            - name: account.account_support_name
              type: keyword
              description: >
                When an account support_name is updated, this is the new value set
            - name: account.account_support_email
              type: keyword
              description: >
                When an account support_email is updated, this is the new value set
            - name: chat_channel.name
              type: keyword
              description: >
                The name of the channel that has been added/modified/deleted
            - name: chat_channel.id
              type: keyword
              description: >
                The ID of the channel that has been added/modified/deleted
            - name: chat_channel.type
              type: keyword
              description: >
                Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public)
            - name: chat_message.id
              type: keyword
              description: >
                Unique ID of the related chat message
            - name: chat_message.type
              type: keyword
              description: >
                Type of message, can be either "to_contact" or "to_channel"
            - name: chat_message.session_id
              type: keyword
              description: >
                SessionID for the channel related to the message
            - name: chat_message.contact_email
              type: keyword
              description: >
                Email address related to the user sending the message
            - name: chat_message.contact_id
              type: keyword
              description: >
                UserID belonging to the user receiving a message
            - name: chat_message.channel_id
              type: keyword
              description: >
                ChannelID related to the message
            - name: chat_message.channel_name
              type: keyword
              description: >
                Channel name related to the message
            - name: chat_message.message
              type: keyword
              description: >
                A string containing the full message that was sent
            - name: meeting.id
              type: keyword
              description: >
                Unique ID of the related meeting
            - name: meeting.uuid
              type: keyword
              description: >
                The UUID of the related meeting
            - name: meeting.host_id
              type: keyword
              description: >
                The UserID of the configured meeting host
            - name: meeting.topic
              type: keyword
              description: >
                Topic of the related meeting
            - name: meeting.type
              type: keyword
              description: >
                Type of meeting created
            - name: meeting.start_time
              type: date
              description: >
                Date and time the meeting started
            - name: meeting.timezone
              type: keyword
              description: >
                Which timezone is used for the meeting timestamps
            - name: meeting.duration
              type: long
              description: >
                The duration of a meeting in minutes
            - name: meeting.issues
              type: keyword
              description: >
                When a user reports an issue with the meeting, for example: "Unstable audio quality"
            - name: meeting.password
              type: keyword
              description: >
                Password related to the meeting
            - name: phone.id
              type: keyword
              description: >
                Unique ID for the phone or conversation
            - name: phone.user_id
              type: keyword
              description: >
                UserID for the phone owner related to a Call Log being completed
            - name: phone.download_url
              type: keyword
              description: >
                Download URL for the voicemail
            - name: phone.ringing_start_time
              type: date
              description: >
                The timestamp when a ringtone was established to the callee
            - name: phone.connected_start_time
              type: date
              description: >
                The date and time when a ringtone was established to the callee
            - name: phone.answer_start_time
              type: date
              description: >
                The date and time when the call was answered
            - name: phone.call_end_time
              type: date
              description: >
                The date and time when the call ended
            - name: phone.call_id
              type: keyword
              description: >
                Unique ID of the related call
            - name: phone.duration
              type: long
              description: >
                Duration of a voicemail in minutes
            - name: phone.caller.id
              type: keyword
              description: >
                UserID of the caller related to the voicemail/call
            - name: phone.caller.user_id
              type: keyword
              description: >
                UserID of the person which initiated the call
            - name: phone.caller.number_type
              type: keyword
              description: >
                The type of number, can be 1(Internal) or 2(External)
            - name: phone.caller.name
              type: keyword
              description: >
                The name of the related callee
            - name: phone.caller.phone_number
              type: keyword
              description: >
                Phone Number of the caller related to the call
            - name: phone.caller.extension_type
              type: keyword
              description: >
                Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup
            - name: phone.caller.extension_number
              type: keyword
              description: >
                Extension number of the caller
            - name: phone.caller.timezone
              type: keyword
              description: >
                Timezone of the caller
            - name: phone.caller.device_type
              type: keyword
              description: >
                Device type used by the caller
            - name: phone.callee.id
              type: keyword
              description: >
                UserID of the callee related to the voicemail/call
            - name: phone.callee.user_id
              type: keyword
              description: >
                UserID of the related callee of a voicemail/call
            - name: phone.callee.name
              type: keyword
              description: >
                The name of the related callee
            - name: phone.callee.number_type
              type: keyword
              description: >
                The type of number, can be 1(Internal) or 2(External)
            - name: phone.callee.phone_number
              type: keyword
              description: >
                Phone Number of the callee related to the call
            - name: phone.callee.extension_type
              type: keyword
              description: >
                Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup
            - name: phone.callee.extension_number
              type: keyword
              description: >
                Extension number of the callee related to the call
            - name: phone.callee.timezone
              type: keyword
              description: >
                Timezone of the callee related to the call
            - name: phone.callee.device_type
              type: keyword
              description: >
                Device type used by the callee related to the call
            - name: phone.date_time
              type: date
              description: >
                Date and time of the related phone event
            - name: recording.id
              type: keyword
              description: >
                Unique ID of the related recording
            - name: recording.uuid
              type: keyword
              description: >
                UUID of the related recording
            - name: recording.host_id
              type: keyword
              description: >
                UserID of the host of the meeting that was recorded
            - name: recording.topic
              type: keyword
              description: >
                Topic of the meeting related to the recording
            - name: recording.type
              type: keyword
              description: >
                Type of recording, can be multiple type of values, please check Zoom documentation
            - name: recording.start_time
              type: date
              description: >
                The date and time when the recording started
            - name: recording.timezone
              type: keyword
              description: >
                The timezone used for the recording date
            - name: recording.duration
              type: long
              description: >
                Duration of the recording in minutes
            - name: recording.share_url
              type: keyword
              description: >
                The URL to access the recording
            - name: recording.total_size
              type: long
              description: >
                Total size of the recording in bytes
            - name: recording.recording_count
              type: long
              description: >
                Number of recording files related to the recording
            - name: recording.recording_file.recording_start
              type: date
              description: >
                The date and time the recording started
            - name: recording.recording_file.recording_end
              type: date
              description: >
                The date and time the recording finished
            - name: recording.host_email
              type: keyword
              description: >
                Email address of the host related to the meeting that was recorded
            - name: user.id
              type: keyword
              description: >
                UserID related to the user event
            - name: user.first_name
              type: keyword
              description: >
                User first name related to the user event
            - name: user.last_name
              type: keyword
              description: >
                User last name related to the user event
            - name: user.email
              type: keyword
              description: >
                User email related to the user event
            - name: user.type
              type: keyword
              description: >
                User type related to the user event
            - name: user.phone_number
              type: keyword
              description: >
                User phone number related to the user event
            - name: user.phone_country
              type: keyword
              description: >
                User country code related to the user event
            - name: user.company
              type: keyword
              description: >
                User company related to the user event
            - name: user.pmi
              type: keyword
              description: >
                User personal meeting ID related to the user event
            - name: user.use_pmi
              type: boolean
              description: >
                If a user has PMI enabled
            - name: user.pic_url
              type: keyword
              description: >
                Full URL to the profile picture used by the user
            - name: user.vanity_name
              type: keyword
              description: >
                Name of the personal meeting room related to the user event
            - name: user.timezone
              type: keyword
              description: >
                Timezone configured for the user
            - name: user.language
              type: keyword
              description: >
                Language configured for the user
            - name: user.host_key
              type: keyword
              description: >
                Host key set for the user
            - name: user.role
              type: keyword
              description: >
                The configured role for the user
            - name: user.dept
              type: keyword
              description: >
                The configured departement for the user
            - name: user.presence_status
              type: keyword
              description: >
                Current presence status of user
            - name: user.personal_notes
              type: keyword
              description: >
                Personal notes for the User
            - name: user.client_type
              type: keyword
              description: >
                Type of client used by the user. Can be browser, mac, win, iphone or android
            - name: user.version
              type: keyword
              description: >
                Version of the client used by the user
            - name: webinar.id
              type: keyword
              description: >
                Unique ID for the related webinar
            - name: webinar.join_url
              type: keyword
              description: >
                The URL configured to join the webinar
            - name: webinar.uuid
              type: keyword
              description: >
                UUID for the related webinar
            - name: webinar.host_id
              type: keyword
              description: >
                UserID for the configured host of the webinar
            - name: webinar.topic
              type: keyword
              description: >
                Meeting topic of the related webinar
            - name: webinar.type
              type: keyword
              description: >
                Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time)
            - name: webinar.start_time
              type: date
              description: >
                The date and time when the webinar started
            - name: webinar.timezone
              type: keyword
              description: >
                Timezone used for the dates related to the webinar
            - name: webinar.duration
              type: long
              description: >
                Duration of the webinar in minutes
            - name: webinar.agenda
              type: keyword
              description: >
                The configured agenda of the webinar
            - name: webinar.password
              type: keyword
              description: >
                Password configured to access the webinar
            - name: webinar.issues
              type: keyword
              description: >
                Any reported issues about a webinar is reported in this field
            - name: zoomroom.id
              type: keyword
              description: >
                Unique ID of the Zoom room
            - name: zoomroom.room_name
              type: keyword
              description: >
                The configured name of the Zoom room
            - name: zoomroom.calendar_name
              type: keyword
              description: >
                Calendar name of the Zoom room
            - name: zoomroom.calendar_id
              type: keyword
              description: >
                Unique ID of the calendar used by the Zoom room
            - name: zoomroom.event_id
              type: keyword
              description: >
                Unique ID of the calendar event associated with the Zoom Room
            - name: zoomroom.change_key
              type: keyword
              description: >
                Key used by Microsoft products integration that represents a specific version of a calendar
            - name: zoomroom.resource_email
              type: keyword
              description: >
                Email address associated with the calendar in use by the Zoom room
            - name: zoomroom.email
              type: keyword
              description: >
                Email address associated with the Zoom room itself
            - name: zoomroom.issue
              type: keyword
              description: >
                Any reported alerts or issues related to the Zoom room or its equipment
            - name: zoomroom.alert_type
              type: keyword
              description: >
                An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation
            - name: zoomroom.component
              type: keyword
              description: >
                An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation
            - name: zoomroom.alert_kind
              type: keyword
              description: >
                An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared)
            - name: registrant.id
              type: keyword
              description: >
                Unique ID of the user registering to a meeting or webinar
            - name: registrant.status
              type: keyword
              description: >
                Status of the specific user registration
            - name: registrant.email
              type: keyword
              description: >
                Email of the user registering to a meeting or webinar
            - name: registrant.first_name
              type: keyword
              description: >
                First name of the user registering to a meeting or webinar
            - name: registrant.last_name
              type: keyword
              description: >
                Last name of the user registering to a meeting or webinar
            - name: registrant.address
              type: keyword
              description: >
                Address of the user registering to a meeting or webinar
            - name: registrant.city
              type: keyword
              description: >
                City of the user registering to a meeting or webinar
            - name: registrant.country
              type: keyword
              description: >
                Country of the user registering to a meeting or webinar
            - name: registrant.zip
              type: keyword
              description: >
                Zip code of the user registering to a meeting or webinar
            - name: registrant.state
              type: keyword
              description: >
                State of the user registering to a meeting or webinar
            - name: registrant.phone
              type: keyword
              description: >
                Phone number of the user registering to a meeting or webinar
            - name: registrant.industry
              type: keyword
              description: >
                Related industry of the user registering to a meeting or webinar
            - name: registrant.org
              type: keyword
              description: >
                Organization related to the user registering to a meeting or webinar
            - name: registrant.job_title
              type: keyword
              description: >
                Job title of the user registering to a meeting or webinar
            - name: registrant.purchasing_time_frame
              type: keyword
              description: >
                Choosen purchase timeframe of the user registering to a meeting or webinar
            - name: registrant.role_in_purchase_process
              type: keyword
              description: >
                Choosen role in a purchase process related to the user registering to a meeting or webinar
            - name: registrant.no_of_employees
              type: keyword
              description: >
                Number of employees choosen by the user registering to a meeting or webinar
            - name: registrant.comments
              type: keyword
              description: >
                Comments left by the user registering to a meeting or webinar
            - name: registrant.join_url
              type: keyword
              description: >
                The URL that the registrant can use to join the webinar
            - name: participant.id
              type: keyword
              description: >
                Unique ID of the participant related to a meeting
            - name: participant.user_id
              type: keyword
              description: >
                UserID of the participant related to a meeting
            - name: participant.user_name
              type: keyword
              description: >
                Username of the participant related to a meeting
            - name: participant.join_time
              type: date
              description: >
                The date and time a participant joined a meeting
            - name: participant.leave_time
              type: date
              description: >
                The date and time a participant left a meeting
            - name: participant.sharing_details.link_source
              type: keyword
              description: >
                Method of sharing with dropbox integration
            - name: participant.sharing_details.content
              type: keyword
              description: >
                Type of content that was shared
            - name: participant.sharing_details.file_link
              type: keyword
              description: >
                The file link that was shared
            - name: participant.sharing_details.date_time
              type: keyword
              description: >
                Timestamp the sharing started
            - name: participant.sharing_details.source
              type: keyword
              description: >
                The file source that was share
            - name: old_values
              type: flattened
              description: >
                Includes the old values when updating a object like user, meeting, account or webinar
            - name: settings
              type: flattened
              description: >
                The current active settings related to a object like user, meeting, account or webinar
- key: zscaler
  title: Zscaler NSS
  description: >
    zscaler fields.
  fields:
        - name: network.interface.name
          overwrite: true
          type: keyword
          description: >
            Name of the network interface where the traffic has been observed.
        - name: rsa
          overwrite: true
          type: group
          fields:
          - name: internal
            overwrite: true
            type: group
            fields:
            - name: msg
              overwrite: true
              type: keyword
              description: This key is used to capture the raw message that comes into the
                Log Decoder
            - name: messageid
              overwrite: true
              type: keyword
            - name: event_desc
              overwrite: true
              type: keyword
            - name: message
              overwrite: true
              type: keyword
              description: This key captures the contents of instant messages
            - name: time
              overwrite: true
              type: date
              description: This is the time at which a session hits a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness.
            - name: level
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: msg_id
              overwrite: true
              type: keyword
              description: This is the Message ID1 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: msg_vid
              overwrite: true
              type: keyword
              description: This is the Message ID2 value that identifies the exact log parser
                definition which parses a particular log session. This key should never be
                used to parse Meta data from a session (Logs/Packets) Directly, this is a
                Reserved key in NetWitness
            - name: data
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_server
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_val
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: resource
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: obj_id
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: statement
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: audit_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: entry
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: hcode
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: inode
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: resource_class
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: dead
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: feed_desc
              overwrite: true
              type: keyword
              description: This is used to capture the description of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: feed_name
              overwrite: true
              type: keyword
              description: This is used to capture the name of the feed. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: cid
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Concentrator.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_class
              overwrite: true
              type: keyword
              description: This is the Classification of the Log Event Source under a predefined
                fixed set of Event Source Classifications. This key should never be used to
                parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
                key in NetWitness
            - name: device_group
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_host
              overwrite: true
              type: keyword
              description: This is the Hostname of the log Event Source sending the logs to
                NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ip
              overwrite: true
              type: ip
              description: This is the IPv4 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_ipv6
              overwrite: true
              type: ip
              description: This is the IPv6 address of the Log Event Source sending the logs
                to NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: device_type
              overwrite: true
              type: keyword
              description: This is the name of the log parser which parsed a given session.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: device_type_id
              overwrite: true
              type: long
              description: Deprecated key defined only in table map.
            - name: did
              overwrite: true
              type: keyword
              description: This is the unique identifier used to identify a NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: entropy_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: entropy_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the Meta Type can
                be either UInt16 or Float32 based on the configuration
            - name: event_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: feed_category
              overwrite: true
              type: keyword
              description: This is used to capture the category of the feed. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: forward_ip
              overwrite: true
              type: ip
              description: This key should be used to capture the IPV4 address of a relay
                system which forwarded the events from the original system to NetWitness.
            - name: forward_ipv6
              overwrite: true
              type: ip
              description: This key is used to capture the IPV6 address of a relay system
                which forwarded the events from the original system to NetWitness. This key
                should never be used to parse Meta data from a session (Logs/Packets) Directly,
                this is a Reserved key in NetWitness
            - name: header_id
              overwrite: true
              type: keyword
              description: This is the Header ID value that identifies the exact log parser
                header definition that parses a particular log session. This key should never
                be used to parse Meta data from a session (Logs/Packets) Directly, this is
                a Reserved key in NetWitness
            - name: lc_cid
              overwrite: true
              type: keyword
              description: This is a unique Identifier of a Log Collector. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: lc_ctime
              overwrite: true
              type: date
              description: This is the time at which a log is collected in a NetWitness Log
                Collector. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: mcb_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                request is simply which byte for each side (0 thru 255) was seen the most
            - name: mcb_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                response is simply which byte for each side (0 thru 255) was seen the most
            - name: mcbc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: mcbc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the most common byte
                count is the number of times the most common byte (above) was seen in the
                session streams
            - name: medium
              overwrite: true
              type: long
              description: "This key is used to identify if it\u2019s a log/packet session\
                \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
                \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
                \ 32 = log, 33 = correlation session, &lt; 32 is packet session"
            - name: node_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: nwe_callback_id
              overwrite: true
              type: keyword
              description: This key denotes that event is endpoint related
            - name: parse_error
              overwrite: true
              type: keyword
              description: This is a special key that stores any Meta key validation error
                found while parsing a log session. This key should never be used to parse
                Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
                NetWitness
            - name: payload_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: payload_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, the payload size metrics
                are the payload sizes of each session side at the time of parsing. However,
                in order to keep
            - name: process_vid_dst
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the target process.
            - name: process_vid_src
              overwrite: true
              type: keyword
              description: Endpoint generates and uses a unique virtual ID to identify any
                similar group of process. This ID represents the source process.
            - name: rid
              overwrite: true
              type: long
              description: This is a special ID of the Remote Session created by NetWitness
                Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: session_split
              overwrite: true
              type: keyword
              description: This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: site
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: size
              overwrite: true
              type: long
              description: This is the size of the session as seen by the NetWitness Decoder.
                This key should never be used to parse Meta data from a session (Logs/Packets)
                Directly, this is a Reserved key in NetWitness
            - name: sourcefile
              overwrite: true
              type: keyword
              description: This is the name of the log file or PCAPs that can be imported
                into NetWitness. This key should never be used to parse Meta data from a session
                (Logs/Packets) Directly, this is a Reserved key in NetWitness
            - name: ubc_req
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: ubc_res
              overwrite: true
              type: long
              description: This key is only used by the Entropy Parser, Unique byte count
                is the number of unique bytes seen in each stream. 256 would mean all byte
                values of 0 thru 255 were seen at least once
            - name: word
              overwrite: true
              type: keyword
              description: This is used by the Word Parsing technology to capture the first
                5 character of every word in an unparsed log
          - name: time
            overwrite: true
            type: group
            fields:
            - name: event_time
              overwrite: true
              type: date
              description: This key is used to capture the time mentioned in a raw session
                that represents the actual time an event occured in a standard normalized
                form
            - name: duration_time
              overwrite: true
              type: double
              description: This key is used to capture the normalized duration/lifetime in
                seconds.
            - name: event_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture the incomplete time mentioned in a
                session as a string
            - name: starttime
              overwrite: true
              type: date
              description: This key is used to capture the Start time mentioned in a session
                in a standard form
            - name: month
              overwrite: true
              type: keyword
            - name: day
              overwrite: true
              type: keyword
            - name: endtime
              overwrite: true
              type: date
              description: This key is used to capture the End time mentioned in a session
                in a standard form
            - name: timezone
              overwrite: true
              type: keyword
              description: This key is used to capture the timezone of the Event Time
            - name: duration_str
              overwrite: true
              type: keyword
              description: A text string version of the duration
            - name: date
              overwrite: true
              type: keyword
            - name: year
              overwrite: true
              type: keyword
            - name: recorded_time
              overwrite: true
              type: date
              description: The event time as recorded by the system the event is collected
                from. The usage scenario is a multi-tier application where the management
                layer of the system records it's own timestamp at the time of collection from
                its child nodes. Must be in timestamp format.
            - name: datetime
              overwrite: true
              type: keyword
            - name: effective_time
              overwrite: true
              type: date
              description: This key is the effective time referenced by an individual event
                in a Standard Timestamp format
            - name: expire_time
              overwrite: true
              type: date
              description: This key is the timestamp that explicitly refers to an expiration.
            - name: process_time
              overwrite: true
              type: keyword
              description: Deprecated, use duration.time
            - name: hour
              overwrite: true
              type: keyword
            - name: min
              overwrite: true
              type: keyword
            - name: timestamp
              overwrite: true
              type: keyword
            - name: event_queue_time
              overwrite: true
              type: date
              description: This key is the Time that the event was queued.
            - name: p_time1
              overwrite: true
              type: keyword
            - name: tzone
              overwrite: true
              type: keyword
            - name: eventtime
              overwrite: true
              type: keyword
            - name: gmtdate
              overwrite: true
              type: keyword
            - name: gmttime
              overwrite: true
              type: keyword
            - name: p_date
              overwrite: true
              type: keyword
            - name: p_month
              overwrite: true
              type: keyword
            - name: p_time
              overwrite: true
              type: keyword
            - name: p_time2
              overwrite: true
              type: keyword
            - name: p_year
              overwrite: true
              type: keyword
            - name: expire_time_str
              overwrite: true
              type: keyword
              description: This key is used to capture incomplete timestamp that explicitly
                refers to an expiration.
            - name: stamp
              overwrite: true
              type: date
              description: Deprecated key defined only in table map.
          - name: misc
            overwrite: true
            type: group
            fields:
            - name: action
              overwrite: true
              type: keyword
            - name: result
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result string value of
                an action in a session.
            - name: severity
              overwrite: true
              type: keyword
              description: This key is used to capture the severity given the session
            - name: event_type
              overwrite: true
              type: keyword
              description: This key captures the event category type as specified by the event
                source.
            - name: reference_id
              overwrite: true
              type: keyword
              description: This key is used to capture an event id from the session directly
            - name: version
              overwrite: true
              type: keyword
              description: This key captures Version of the application or OS which is generating
                the event.
            - name: disposition
              overwrite: true
              type: keyword
              description: This key captures the The end state of an action.
            - name: result_code
              overwrite: true
              type: keyword
              description: This key is used to capture the outcome/result numeric value of
                an action in a session
            - name: category
              overwrite: true
              type: keyword
              description: This key is used to capture the category of an event given by the
                vendor in the session
            - name: obj_name
              overwrite: true
              type: keyword
              description: This is used to capture name of object
            - name: obj_type
              overwrite: true
              type: keyword
              description: This is used to capture type of object
            - name: event_source
              overwrite: true
              type: keyword
              description: "This key captures Source of the event that\u2019s not a hostname"
            - name: log_session_id
              overwrite: true
              type: keyword
              description: This key is used to capture a sessionid from the session directly
            - name: group
              overwrite: true
              type: keyword
              description: This key captures the Group Name value
            - name: policy_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy Name only.
            - name: rule_name
              overwrite: true
              type: keyword
              description: This key captures the Rule Name
            - name: context
              overwrite: true
              type: keyword
              description: This key captures Information which adds additional context to
                the event.
            - name: change_new
              overwrite: true
              type: keyword
              description: "This key is used to capture the new values of the attribute that\u2019\
                s changing in a session"
            - name: space
              overwrite: true
              type: keyword
            - name: client
              overwrite: true
              type: keyword
              description: This key is used to capture only the name of the client application
                requesting resources of the server. See the user.agent meta key for capture
                of the specific user agent identifier or browser identification string.
            - name: msgIdPart1
              overwrite: true
              type: keyword
            - name: msgIdPart2
              overwrite: true
              type: keyword
            - name: change_old
              overwrite: true
              type: keyword
              description: "This key is used to capture the old value of the attribute that\u2019\
                s changing in a session"
            - name: operation_id
              overwrite: true
              type: keyword
              description: An alert number or operation number. The values should be unique
                and non-repeating.
            - name: event_state
              overwrite: true
              type: keyword
              description: This key captures the current state of the object/item referenced
                within the event. Describing an on-going event.
            - name: group_object
              overwrite: true
              type: keyword
              description: This key captures a collection/grouping of entities. Specific usage
            - name: node
              overwrite: true
              type: keyword
              description: Common use case is the node name within a cluster. The cluster
                name is reflected by the host name.
            - name: rule
              overwrite: true
              type: keyword
              description: This key captures the Rule number
            - name: device_name
              overwrite: true
              type: keyword
              description: 'This is used to capture name of the Device associated with the
                node Like: a physical disk, printer, etc'
            - name: param
              overwrite: true
              type: keyword
              description: This key is the parameters passed as part of a command or application,
                etc.
            - name: change_attrib
              overwrite: true
              type: keyword
              description: "This key is used to capture the name of the attribute that\u2019\
                s changing in a session"
            - name: event_computer
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                fully qualified domain name in a windows log.
            - name: reference_id1
              overwrite: true
              type: keyword
              description: This key is for Linked ID to be used as an addition to "reference.id"
            - name: event_log
              overwrite: true
              type: keyword
              description: This key captures the Name of the event log
            - name: OS
              overwrite: true
              type: keyword
              description: This key captures the Name of the Operating System
            - name: terminal
              overwrite: true
              type: keyword
              description: This key captures the Terminal Names only
            - name: msgIdPart3
              overwrite: true
              type: keyword
            - name: filter
              overwrite: true
              type: keyword
              description: This key captures Filter used to reduce result set
            - name: serial_number
              overwrite: true
              type: keyword
              description: This key is the Serial number associated with a physical asset.
            - name: checksum
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the entity
                such as a file or process. Checksum should be used over checksum.src or checksum.dst
                when it is unclear whether the entity is a source or target of an action.
            - name: event_user
              overwrite: true
              type: keyword
              description: This key is a windows only concept, where this key is used to capture
                combination of domain name and username in a windows log.
            - name: virusname
              overwrite: true
              type: keyword
              description: This key captures the name of the virus
            - name: content_type
              overwrite: true
              type: keyword
              description: This key is used to capture Content Type only.
            - name: group_id
              overwrite: true
              type: keyword
              description: This key captures Group ID Number (related to the group name)
            - name: policy_id
              overwrite: true
              type: keyword
              description: This key is used to capture the Policy ID only, this should be
                a numeric value, use policy.name otherwise
            - name: vsys
              overwrite: true
              type: keyword
              description: This key captures Virtual System Name
            - name: connection_id
              overwrite: true
              type: keyword
              description: This key captures the Connection ID
            - name: reference_id2
              overwrite: true
              type: keyword
              description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
                or "reference.id1" value but should not be used unless the other two variables
                are in play.
            - name: sensor
              overwrite: true
              type: keyword
              description: This key captures Name of the sensor. Typically used in IDS/IPS
                based devices
            - name: sig_id
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID
            - name: port_name
              overwrite: true
              type: keyword
              description: 'This key is used for Physical or logical port connection but does
                NOT include a network port. (Example: Printer port name).'
            - name: rule_group
              overwrite: true
              type: keyword
              description: This key captures the Rule group name
            - name: risk_num
              overwrite: true
              type: double
              description: This key captures a Numeric Risk value
            - name: trigger_val
              overwrite: true
              type: keyword
              description: This key captures the Value of the trigger or threshold condition.
            - name: log_session_id1
              overwrite: true
              type: keyword
              description: This key is used to capture a Linked (Related) Session ID from
                the session directly
            - name: comp_version
              overwrite: true
              type: keyword
              description: This key captures the Version level of a sub-component of a product.
            - name: content_version
              overwrite: true
              type: keyword
              description: This key captures Version level of a signature or database content.
            - name: hardware_id
              overwrite: true
              type: keyword
              description: This key is used to capture unique identifier for a device or system
                (NOT a Mac address)
            - name: risk
              overwrite: true
              type: keyword
              description: This key captures the non-numeric risk value
            - name: event_id
              overwrite: true
              type: keyword
            - name: reason
              overwrite: true
              type: keyword
            - name: status
              overwrite: true
              type: keyword
            - name: mail_id
              overwrite: true
              type: keyword
              description: This key is used to capture the mailbox id/name
            - name: rule_uid
              overwrite: true
              type: keyword
              description: This key is the Unique Identifier for a rule.
            - name: trigger_desc
              overwrite: true
              type: keyword
              description: This key captures the Description of the trigger or threshold condition.
            - name: inout
              overwrite: true
              type: keyword
            - name: p_msgid
              overwrite: true
              type: keyword
            - name: data_type
              overwrite: true
              type: keyword
            - name: msgIdPart4
              overwrite: true
              type: keyword
            - name: error
              overwrite: true
              type: keyword
              description: This key captures All non successful Error codes or responses
            - name: index
              overwrite: true
              type: keyword
            - name: listnum
              overwrite: true
              type: keyword
              description: This key is used to capture listname or listnumber, primarily for
                collecting access-list
            - name: ntype
              overwrite: true
              type: keyword
            - name: observed_val
              overwrite: true
              type: keyword
              description: This key captures the Value observed (from the perspective of the
                device generating the log).
            - name: policy_value
              overwrite: true
              type: keyword
              description: This key captures the contents of the policy. This contains details
                about the policy
            - name: pool_name
              overwrite: true
              type: keyword
              description: This key captures the name of a resource pool
            - name: rule_template
              overwrite: true
              type: keyword
              description: A default set of parameters which are overlayed onto a rule (or
                rulename) which efffectively constitutes a template
            - name: count
              overwrite: true
              type: keyword
            - name: number
              overwrite: true
              type: keyword
            - name: sigcat
              overwrite: true
              type: keyword
            - name: type
              overwrite: true
              type: keyword
            - name: comments
              overwrite: true
              type: keyword
              description: Comment information provided in the log message
            - name: doc_number
              overwrite: true
              type: long
              description: This key captures File Identification number
            - name: expected_val
              overwrite: true
              type: keyword
              description: This key captures the Value expected (from the perspective of the
                device generating the log).
            - name: job_num
              overwrite: true
              type: keyword
              description: This key captures the Job Number
            - name: spi_dst
              overwrite: true
              type: keyword
              description: Destination SPI Index
            - name: spi_src
              overwrite: true
              type: keyword
              description: Source SPI Index
            - name: code
              overwrite: true
              type: keyword
            - name: agent_id
              overwrite: true
              type: keyword
              description: This key is used to capture agent id
            - name: message_body
              overwrite: true
              type: keyword
              description: This key captures the The contents of the message body.
            - name: phone
              overwrite: true
              type: keyword
            - name: sig_id_str
              overwrite: true
              type: keyword
              description: This key captures a string object of the sigid variable.
            - name: cmd
              overwrite: true
              type: keyword
            - name: misc
              overwrite: true
              type: keyword
            - name: name
              overwrite: true
              type: keyword
            - name: cpu
              overwrite: true
              type: long
              description: This key is the CPU time used in the execution of the event being
                recorded.
            - name: event_desc
              overwrite: true
              type: keyword
              description: This key is used to capture a description of an event available
                directly or inferred
            - name: sig_id1
              overwrite: true
              type: long
              description: This key captures IDS/IPS Int Signature ID. This must be linked
                to the sig.id
            - name: im_buddyid
              overwrite: true
              type: keyword
            - name: im_client
              overwrite: true
              type: keyword
            - name: im_userid
              overwrite: true
              type: keyword
            - name: pid
              overwrite: true
              type: keyword
            - name: priority
              overwrite: true
              type: keyword
            - name: context_subject
              overwrite: true
              type: keyword
              description: This key is to be used in an audit context where the subject is
                the object being identified
            - name: context_target
              overwrite: true
              type: keyword
            - name: cve
              overwrite: true
              type: keyword
              description: This key captures CVE (Common Vulnerabilities and Exposures) -
                an identifier for known information security vulnerabilities.
            - name: fcatnum
              overwrite: true
              type: keyword
              description: This key captures Filter Category Number. Legacy Usage
            - name: library
              overwrite: true
              type: keyword
              description: This key is used to capture library information in mainframe devices
            - name: parent_node
              overwrite: true
              type: keyword
              description: This key captures the Parent Node Name. Must be related to node
                variable.
            - name: risk_info
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: tcp_flags
              overwrite: true
              type: long
              description: This key is captures the TCP flags set in any packet of session
            - name: tos
              overwrite: true
              type: long
              description: This key describes the type of service
            - name: vm_target
              overwrite: true
              type: keyword
              description: VMWare Target **VMWARE** only varaible.
            - name: workspace
              overwrite: true
              type: keyword
              description: This key captures Workspace Description
            - name: command
              overwrite: true
              type: keyword
            - name: event_category
              overwrite: true
              type: keyword
            - name: facilityname
              overwrite: true
              type: keyword
            - name: forensic_info
              overwrite: true
              type: keyword
            - name: jobname
              overwrite: true
              type: keyword
            - name: mode
              overwrite: true
              type: keyword
            - name: policy
              overwrite: true
              type: keyword
            - name: policy_waiver
              overwrite: true
              type: keyword
            - name: second
              overwrite: true
              type: keyword
            - name: space1
              overwrite: true
              type: keyword
            - name: subcategory
              overwrite: true
              type: keyword
            - name: tbdstr2
              overwrite: true
              type: keyword
            - name: alert_id
              overwrite: true
              type: keyword
              description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: checksum_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the the target
                entity such as a process or file.
            - name: checksum_src
              overwrite: true
              type: keyword
              description: This key is used to capture the checksum or hash of the source
                entity such as a file or process.
            - name: fresult
              overwrite: true
              type: long
              description: This key captures the Filter Result
            - name: payload_dst
              overwrite: true
              type: keyword
              description: This key is used to capture destination payload
            - name: payload_src
              overwrite: true
              type: keyword
              description: This key is used to capture source payload
            - name: pool_id
              overwrite: true
              type: keyword
              description: This key captures the identifier (typically numeric field) of a
                resource pool
            - name: process_id_val
              overwrite: true
              type: keyword
              description: This key is a failure key for Process ID when it is not an integer
                value
            - name: risk_num_comm
              overwrite: true
              type: double
              description: This key captures Risk Number Community
            - name: risk_num_next
              overwrite: true
              type: double
              description: This key captures Risk Number NextGen
            - name: risk_num_sand
              overwrite: true
              type: double
              description: This key captures Risk Number SandBox
            - name: risk_num_static
              overwrite: true
              type: double
              description: This key captures Risk Number Static
            - name: risk_suspicious
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: risk_warning
              overwrite: true
              type: keyword
              description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
            - name: snmp_oid
              overwrite: true
              type: keyword
              description: SNMP Object Identifier
            - name: sql
              overwrite: true
              type: keyword
              description: This key captures the SQL query
            - name: vuln_ref
              overwrite: true
              type: keyword
              description: This key captures the Vulnerability Reference details
            - name: acl_id
              overwrite: true
              type: keyword
            - name: acl_op
              overwrite: true
              type: keyword
            - name: acl_pos
              overwrite: true
              type: keyword
            - name: acl_table
              overwrite: true
              type: keyword
            - name: admin
              overwrite: true
              type: keyword
            - name: alarm_id
              overwrite: true
              type: keyword
            - name: alarmname
              overwrite: true
              type: keyword
            - name: app_id
              overwrite: true
              type: keyword
            - name: audit
              overwrite: true
              type: keyword
            - name: audit_object
              overwrite: true
              type: keyword
            - name: auditdata
              overwrite: true
              type: keyword
            - name: benchmark
              overwrite: true
              type: keyword
            - name: bypass
              overwrite: true
              type: keyword
            - name: cache
              overwrite: true
              type: keyword
            - name: cache_hit
              overwrite: true
              type: keyword
            - name: cefversion
              overwrite: true
              type: keyword
            - name: cfg_attr
              overwrite: true
              type: keyword
            - name: cfg_obj
              overwrite: true
              type: keyword
            - name: cfg_path
              overwrite: true
              type: keyword
            - name: changes
              overwrite: true
              type: keyword
            - name: client_ip
              overwrite: true
              type: keyword
            - name: clustermembers
              overwrite: true
              type: keyword
            - name: cn_acttimeout
              overwrite: true
              type: keyword
            - name: cn_asn_src
              overwrite: true
              type: keyword
            - name: cn_bgpv4nxthop
              overwrite: true
              type: keyword
            - name: cn_ctr_dst_code
              overwrite: true
              type: keyword
            - name: cn_dst_tos
              overwrite: true
              type: keyword
            - name: cn_dst_vlan
              overwrite: true
              type: keyword
            - name: cn_engine_id
              overwrite: true
              type: keyword
            - name: cn_engine_type
              overwrite: true
              type: keyword
            - name: cn_f_switch
              overwrite: true
              type: keyword
            - name: cn_flowsampid
              overwrite: true
              type: keyword
            - name: cn_flowsampintv
              overwrite: true
              type: keyword
            - name: cn_flowsampmode
              overwrite: true
              type: keyword
            - name: cn_inacttimeout
              overwrite: true
              type: keyword
            - name: cn_inpermbyts
              overwrite: true
              type: keyword
            - name: cn_inpermpckts
              overwrite: true
              type: keyword
            - name: cn_invalid
              overwrite: true
              type: keyword
            - name: cn_ip_proto_ver
              overwrite: true
              type: keyword
            - name: cn_ipv4_ident
              overwrite: true
              type: keyword
            - name: cn_l_switch
              overwrite: true
              type: keyword
            - name: cn_log_did
              overwrite: true
              type: keyword
            - name: cn_log_rid
              overwrite: true
              type: keyword
            - name: cn_max_ttl
              overwrite: true
              type: keyword
            - name: cn_maxpcktlen
              overwrite: true
              type: keyword
            - name: cn_min_ttl
              overwrite: true
              type: keyword
            - name: cn_minpcktlen
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_1
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_10
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_2
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_3
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_4
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_5
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_6
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_7
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_8
              overwrite: true
              type: keyword
            - name: cn_mpls_lbl_9
              overwrite: true
              type: keyword
            - name: cn_mplstoplabel
              overwrite: true
              type: keyword
            - name: cn_mplstoplabip
              overwrite: true
              type: keyword
            - name: cn_mul_dst_byt
              overwrite: true
              type: keyword
            - name: cn_mul_dst_pks
              overwrite: true
              type: keyword
            - name: cn_muligmptype
              overwrite: true
              type: keyword
            - name: cn_sampalgo
              overwrite: true
              type: keyword
            - name: cn_sampint
              overwrite: true
              type: keyword
            - name: cn_seqctr
              overwrite: true
              type: keyword
            - name: cn_spackets
              overwrite: true
              type: keyword
            - name: cn_src_tos
              overwrite: true
              type: keyword
            - name: cn_src_vlan
              overwrite: true
              type: keyword
            - name: cn_sysuptime
              overwrite: true
              type: keyword
            - name: cn_template_id
              overwrite: true
              type: keyword
            - name: cn_totbytsexp
              overwrite: true
              type: keyword
            - name: cn_totflowexp
              overwrite: true
              type: keyword
            - name: cn_totpcktsexp
              overwrite: true
              type: keyword
            - name: cn_unixnanosecs
              overwrite: true
              type: keyword
            - name: cn_v6flowlabel
              overwrite: true
              type: keyword
            - name: cn_v6optheaders
              overwrite: true
              type: keyword
            - name: comp_class
              overwrite: true
              type: keyword
            - name: comp_name
              overwrite: true
              type: keyword
            - name: comp_rbytes
              overwrite: true
              type: keyword
            - name: comp_sbytes
              overwrite: true
              type: keyword
            - name: cpu_data
              overwrite: true
              type: keyword
            - name: criticality
              overwrite: true
              type: keyword
            - name: cs_agency_dst
              overwrite: true
              type: keyword
            - name: cs_analyzedby
              overwrite: true
              type: keyword
            - name: cs_av_other
              overwrite: true
              type: keyword
            - name: cs_av_primary
              overwrite: true
              type: keyword
            - name: cs_av_secondary
              overwrite: true
              type: keyword
            - name: cs_bgpv6nxthop
              overwrite: true
              type: keyword
            - name: cs_bit9status
              overwrite: true
              type: keyword
            - name: cs_context
              overwrite: true
              type: keyword
            - name: cs_control
              overwrite: true
              type: keyword
            - name: cs_data
              overwrite: true
              type: keyword
            - name: cs_datecret
              overwrite: true
              type: keyword
            - name: cs_dst_tld
              overwrite: true
              type: keyword
            - name: cs_eth_dst_ven
              overwrite: true
              type: keyword
            - name: cs_eth_src_ven
              overwrite: true
              type: keyword
            - name: cs_event_uuid
              overwrite: true
              type: keyword
            - name: cs_filetype
              overwrite: true
              type: keyword
            - name: cs_fld
              overwrite: true
              type: keyword
            - name: cs_if_desc
              overwrite: true
              type: keyword
            - name: cs_if_name
              overwrite: true
              type: keyword
            - name: cs_ip_next_hop
              overwrite: true
              type: keyword
            - name: cs_ipv4dstpre
              overwrite: true
              type: keyword
            - name: cs_ipv4srcpre
              overwrite: true
              type: keyword
            - name: cs_lifetime
              overwrite: true
              type: keyword
            - name: cs_log_medium
              overwrite: true
              type: keyword
            - name: cs_loginname
              overwrite: true
              type: keyword
            - name: cs_modulescore
              overwrite: true
              type: keyword
            - name: cs_modulesign
              overwrite: true
              type: keyword
            - name: cs_opswatresult
              overwrite: true
              type: keyword
            - name: cs_payload
              overwrite: true
              type: keyword
            - name: cs_registrant
              overwrite: true
              type: keyword
            - name: cs_registrar
              overwrite: true
              type: keyword
            - name: cs_represult
              overwrite: true
              type: keyword
            - name: cs_rpayload
              overwrite: true
              type: keyword
            - name: cs_sampler_name
              overwrite: true
              type: keyword
            - name: cs_sourcemodule
              overwrite: true
              type: keyword
            - name: cs_streams
              overwrite: true
              type: keyword
            - name: cs_targetmodule
              overwrite: true
              type: keyword
            - name: cs_v6nxthop
              overwrite: true
              type: keyword
            - name: cs_whois_server
              overwrite: true
              type: keyword
            - name: cs_yararesult
              overwrite: true
              type: keyword
            - name: description
              overwrite: true
              type: keyword
            - name: devvendor
              overwrite: true
              type: keyword
            - name: distance
              overwrite: true
              type: keyword
            - name: dstburb
              overwrite: true
              type: keyword
            - name: edomain
              overwrite: true
              type: keyword
            - name: edomaub
              overwrite: true
              type: keyword
            - name: euid
              overwrite: true
              type: keyword
            - name: facility
              overwrite: true
              type: keyword
            - name: finterface
              overwrite: true
              type: keyword
            - name: flags
              overwrite: true
              type: keyword
            - name: gaddr
              overwrite: true
              type: keyword
            - name: id3
              overwrite: true
              type: keyword
            - name: im_buddyname
              overwrite: true
              type: keyword
            - name: im_croomid
              overwrite: true
              type: keyword
            - name: im_croomtype
              overwrite: true
              type: keyword
            - name: im_members
              overwrite: true
              type: keyword
            - name: im_username
              overwrite: true
              type: keyword
            - name: ipkt
              overwrite: true
              type: keyword
            - name: ipscat
              overwrite: true
              type: keyword
            - name: ipspri
              overwrite: true
              type: keyword
            - name: latitude
              overwrite: true
              type: keyword
            - name: linenum
              overwrite: true
              type: keyword
            - name: list_name
              overwrite: true
              type: keyword
            - name: load_data
              overwrite: true
              type: keyword
            - name: location_floor
              overwrite: true
              type: keyword
            - name: location_mark
              overwrite: true
              type: keyword
            - name: log_id
              overwrite: true
              type: keyword
            - name: log_type
              overwrite: true
              type: keyword
            - name: logid
              overwrite: true
              type: keyword
            - name: logip
              overwrite: true
              type: keyword
            - name: logname
              overwrite: true
              type: keyword
            - name: longitude
              overwrite: true
              type: keyword
            - name: lport
              overwrite: true
              type: keyword
            - name: mbug_data
              overwrite: true
              type: keyword
            - name: misc_name
              overwrite: true
              type: keyword
            - name: msg_type
              overwrite: true
              type: keyword
            - name: msgid
              overwrite: true
              type: keyword
            - name: netsessid
              overwrite: true
              type: keyword
            - name: num
              overwrite: true
              type: keyword
            - name: number1
              overwrite: true
              type: keyword
            - name: number2
              overwrite: true
              type: keyword
            - name: nwwn
              overwrite: true
              type: keyword
            - name: object
              overwrite: true
              type: keyword
            - name: operation
              overwrite: true
              type: keyword
            - name: opkt
              overwrite: true
              type: keyword
            - name: orig_from
              overwrite: true
              type: keyword
            - name: owner_id
              overwrite: true
              type: keyword
            - name: p_action
              overwrite: true
              type: keyword
            - name: p_filter
              overwrite: true
              type: keyword
            - name: p_group_object
              overwrite: true
              type: keyword
            - name: p_id
              overwrite: true
              type: keyword
            - name: p_msgid1
              overwrite: true
              type: keyword
            - name: p_msgid2
              overwrite: true
              type: keyword
            - name: p_result1
              overwrite: true
              type: keyword
            - name: password_chg
              overwrite: true
              type: keyword
            - name: password_expire
              overwrite: true
              type: keyword
            - name: permgranted
              overwrite: true
              type: keyword
            - name: permwanted
              overwrite: true
              type: keyword
            - name: pgid
              overwrite: true
              type: keyword
            - name: policyUUID
              overwrite: true
              type: keyword
            - name: prog_asp_num
              overwrite: true
              type: keyword
            - name: program
              overwrite: true
              type: keyword
            - name: real_data
              overwrite: true
              type: keyword
            - name: rec_asp_device
              overwrite: true
              type: keyword
            - name: rec_asp_num
              overwrite: true
              type: keyword
            - name: rec_library
              overwrite: true
              type: keyword
            - name: recordnum
              overwrite: true
              type: keyword
            - name: ruid
              overwrite: true
              type: keyword
            - name: sburb
              overwrite: true
              type: keyword
            - name: sdomain_fld
              overwrite: true
              type: keyword
            - name: sec
              overwrite: true
              type: keyword
            - name: sensorname
              overwrite: true
              type: keyword
            - name: seqnum
              overwrite: true
              type: keyword
            - name: session
              overwrite: true
              type: keyword
            - name: sessiontype
              overwrite: true
              type: keyword
            - name: sigUUID
              overwrite: true
              type: keyword
            - name: spi
              overwrite: true
              type: keyword
            - name: srcburb
              overwrite: true
              type: keyword
            - name: srcdom
              overwrite: true
              type: keyword
            - name: srcservice
              overwrite: true
              type: keyword
            - name: state
              overwrite: true
              type: keyword
            - name: status1
              overwrite: true
              type: keyword
            - name: svcno
              overwrite: true
              type: keyword
            - name: system
              overwrite: true
              type: keyword
            - name: tbdstr1
              overwrite: true
              type: keyword
            - name: tgtdom
              overwrite: true
              type: keyword
            - name: tgtdomain
              overwrite: true
              type: keyword
            - name: threshold
              overwrite: true
              type: keyword
            - name: type1
              overwrite: true
              type: keyword
            - name: udb_class
              overwrite: true
              type: keyword
            - name: url_fld
              overwrite: true
              type: keyword
            - name: user_div
              overwrite: true
              type: keyword
            - name: userid
              overwrite: true
              type: keyword
            - name: username_fld
              overwrite: true
              type: keyword
            - name: utcstamp
              overwrite: true
              type: keyword
            - name: v_instafname
              overwrite: true
              type: keyword
            - name: virt_data
              overwrite: true
              type: keyword
            - name: vpnid
              overwrite: true
              type: keyword
            - name: autorun_type
              overwrite: true
              type: keyword
              description: This is used to capture Auto Run type
            - name: cc_number
              overwrite: true
              type: long
              description: Valid Credit Card Numbers only
            - name: content
              overwrite: true
              type: keyword
              description: This key captures the content type from protocol headers
            - name: ein_number
              overwrite: true
              type: long
              description: Employee Identification Numbers only
            - name: found
              overwrite: true
              type: keyword
              description: This is used to capture the results of regex match
            - name: language
              overwrite: true
              type: keyword
              description: This is used to capture list of languages the client support and
                what it prefers
            - name: lifetime
              overwrite: true
              type: long
              description: This key is used to capture the session lifetime in seconds.
            - name: link
              overwrite: true
              type: keyword
              description: This key is used to link the sessions together. This key should
                never be used to parse Meta data from a session (Logs/Packets) Directly, this
                is a Reserved key in NetWitness
            - name: match
              overwrite: true
              type: keyword
              description: This key is for regex match name from search.ini
            - name: param_dst
              overwrite: true
              type: keyword
              description: This key captures the command line/launch argument of the target
                process or file
            - name: param_src
              overwrite: true
              type: keyword
              description: This key captures source parameter
            - name: search_text
              overwrite: true
              type: keyword
              description: This key captures the Search Text used
            - name: sig_name
              overwrite: true
              type: keyword
              description: This key is used to capture the Signature Name only.
            - name: snmp_value
              overwrite: true
              type: keyword
              description: SNMP set request value
            - name: streams
              overwrite: true
              type: long
              description: This key captures number of streams in session
          - name: db
            overwrite: true
            type: group
            fields:
            - name: index
              overwrite: true
              type: keyword
              description: This key captures IndexID of the index.
            - name: instance
              overwrite: true
              type: keyword
              description: This key is used to capture the database server instance name
            - name: database
              overwrite: true
              type: keyword
              description: This key is used to capture the name of a database or an instance
                as seen in a session
            - name: transact_id
              overwrite: true
              type: keyword
              description: This key captures the SQL transantion ID of the current session
            - name: permissions
              overwrite: true
              type: keyword
              description: This key captures permission or privilege level assigned to a resource.
            - name: table_name
              overwrite: true
              type: keyword
              description: This key is used to capture the table name
            - name: db_id
              overwrite: true
              type: keyword
              description: This key is used to capture the unique identifier for a database
            - name: db_pid
              overwrite: true
              type: long
              description: This key captures the process id of a connection with database
                server
            - name: lread
              overwrite: true
              type: long
              description: This key is used for the number of logical reads
            - name: lwrite
              overwrite: true
              type: long
              description: This key is used for the number of logical writes
            - name: pread
              overwrite: true
              type: long
              description: This key is used for the number of physical writes
          - name: network
            overwrite: true
            type: group
            fields:
            - name: alias_host
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
                that isnt ad.computer.
            - name: domain
              overwrite: true
              type: keyword
            - name: host_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Hostname"
            - name: network_service
              overwrite: true
              type: keyword
              description: This is used to capture layer 7 protocols/service names
            - name: interface
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of an interface is not clear
            - name: network_port
              overwrite: true
              type: long
              description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
                used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
            - name: eth_host
              overwrite: true
              type: keyword
              description: Deprecated, use alias.mac
            - name: sinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Interface"
            - name: dinterface
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Interface"
            - name: vlan
              overwrite: true
              type: long
              description: This key should only be used to capture the ID of the Virtual LAN
            - name: zone_src
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Source Zone."
            - name: zone
              overwrite: true
              type: keyword
              description: This key should be used when the source or destination context
                of a Zone is not clear
            - name: zone_dst
              overwrite: true
              type: keyword
              description: "This key should only be used when it\u2019s a Destination Zone."
            - name: gateway
              overwrite: true
              type: keyword
              description: This key is used to capture the IP Address of the gateway
            - name: icmp_type
              overwrite: true
              type: long
              description: This key is used to capture the ICMP type only
            - name: mask
              overwrite: true
              type: keyword
              description: This key is used to capture the device network IPmask.
            - name: icmp_code
              overwrite: true
              type: long
              description: This key is used to capture the ICMP code only
            - name: protocol_detail
              overwrite: true
              type: keyword
              description: This key should be used to capture additional protocol information
            - name: dmask
              overwrite: true
              type: keyword
              description: This key is used for Destionation Device network mask
            - name: port
              overwrite: true
              type: long
              description: This key should only be used to capture a Network Port when the
                directionality is not clear
            - name: smask
              overwrite: true
              type: keyword
              description: This key is used for capturing source Network Mask
            - name: netname
              overwrite: true
              type: keyword
              description: This key is used to capture the network name associated with an
                IP range. This is configured by the end user.
            - name: paddr
              overwrite: true
              type: ip
              description: Deprecated
            - name: faddr
              overwrite: true
              type: keyword
            - name: lhost
              overwrite: true
              type: keyword
            - name: origin
              overwrite: true
              type: keyword
            - name: remote_domain_id
              overwrite: true
              type: keyword
            - name: addr
              overwrite: true
              type: keyword
            - name: dns_a_record
              overwrite: true
              type: keyword
            - name: dns_ptr_record
              overwrite: true
              type: keyword
            - name: fhost
              overwrite: true
              type: keyword
            - name: fport
              overwrite: true
              type: keyword
            - name: laddr
              overwrite: true
              type: keyword
            - name: linterface
              overwrite: true
              type: keyword
            - name: phost
              overwrite: true
              type: keyword
            - name: ad_computer_dst
              overwrite: true
              type: keyword
              description: Deprecated, use host.dst
            - name: eth_type
              overwrite: true
              type: long
              description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
                Only
            - name: ip_proto
              overwrite: true
              type: long
              description: This key should be used to capture the Protocol number, all the
                protocol nubers are converted into string in UI
            - name: dns_cname_record
              overwrite: true
              type: keyword
            - name: dns_id
              overwrite: true
              type: keyword
            - name: dns_opcode
              overwrite: true
              type: keyword
            - name: dns_resp
              overwrite: true
              type: keyword
            - name: dns_type
              overwrite: true
              type: keyword
            - name: domain1
              overwrite: true
              type: keyword
            - name: host_type
              overwrite: true
              type: keyword
            - name: packet_length
              overwrite: true
              type: keyword
            - name: host_orig
              overwrite: true
              type: keyword
              description: This is used to capture the original hostname in case of a Forwarding
                Agent or a Proxy in between.
            - name: rpayload
              overwrite: true
              type: keyword
              description: This key is used to capture the total number of payload bytes seen
                in the retransmitted packets.
            - name: vlan_name
              overwrite: true
              type: keyword
              description: This key should only be used to capture the name of the Virtual
                LAN
          - name: investigations
            overwrite: true
            type: group
            fields:
            - name: ec_activity
              overwrite: true
              type: keyword
              description: This key captures the particular event activity(Ex:Logoff)
            - name: ec_theme
              overwrite: true
              type: keyword
              description: This key captures the Theme of a particular Event(Ex:Authentication)
            - name: ec_subject
              overwrite: true
              type: keyword
              description: This key captures the Subject of a particular Event(Ex:User)
            - name: ec_outcome
              overwrite: true
              type: keyword
              description: This key captures the outcome of a particular Event(Ex:Success)
            - name: event_cat
              overwrite: true
              type: long
              description: This key captures the Event category number
            - name: event_cat_name
              overwrite: true
              type: keyword
              description: This key captures the event category name corresponding to the
                event cat code
            - name: event_vcat
              overwrite: true
              type: keyword
              description: This is a vendor supplied category. This should be used in situations
                where the vendor has adopted their own event_category taxonomy.
            - name: analysis_file
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a File Analysis.
                This key should be used to capture an analysis of a file
            - name: analysis_service
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used in a Service Analysis.
                This key should be used to capture an analysis of a service
            - name: analysis_session
              overwrite: true
              type: keyword
              description: This is used to capture all indicators used for a Session Analysis.
                This key should be used to capture an analysis of a session
            - name: boc
              overwrite: true
              type: keyword
              description: This is used to capture behaviour of compromise
            - name: eoc
              overwrite: true
              type: keyword
              description: This is used to capture Enablers of Compromise
            - name: inv_category
              overwrite: true
              type: keyword
              description: This used to capture investigation category
            - name: inv_context
              overwrite: true
              type: keyword
              description: This used to capture investigation context
            - name: ioc
              overwrite: true
              type: keyword
              description: This is key capture indicator of compromise
          - name: counters
            overwrite: true
            type: group
            fields:
            - name: dclass_c1
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c1.str only
            - name: dclass_c2
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c2.str only
            - name: event_counter
              overwrite: true
              type: long
              description: This is used to capture the number of times an event repeated
            - name: dclass_r1
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r1.str only
            - name: dclass_c3
              overwrite: true
              type: long
              description: This is a generic counter key that should be used with the label
                dclass.c3.str only
            - name: dclass_c1_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c1 only
            - name: dclass_c2_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c2 only
            - name: dclass_r1_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r1 only
            - name: dclass_r2
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r2.str only
            - name: dclass_c3_str
              overwrite: true
              type: keyword
              description: This is a generic counter string key that should be used with the
                label dclass.c3 only
            - name: dclass_r3
              overwrite: true
              type: keyword
              description: This is a generic ratio key that should be used with the label
                dclass.r3.str only
            - name: dclass_r2_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r2 only
            - name: dclass_r3_str
              overwrite: true
              type: keyword
              description: This is a generic ratio string key that should be used with the
                label dclass.r3 only
          - name: identity
            overwrite: true
            type: group
            fields:
            - name: auth_method
              overwrite: true
              type: keyword
              description: This key is used to capture authentication methods used only
            - name: user_role
              overwrite: true
              type: keyword
              description: This key is used to capture the Role of a user only
            - name: dn
              overwrite: true
              type: keyword
              description: X.500 (LDAP) Distinguished Name
            - name: logon_type
              overwrite: true
              type: keyword
              description: This key is used to capture the type of logon method used.
            - name: profile
              overwrite: true
              type: keyword
              description: This key is used to capture the user profile
            - name: accesses
              overwrite: true
              type: keyword
              description: This key is used to capture actual privileges used in accessing
                an object
            - name: realm
              overwrite: true
              type: keyword
              description: Radius realm or similar grouping of accounts
            - name: user_sid_dst
              overwrite: true
              type: keyword
              description: This key captures Destination User Session ID
            - name: dn_src
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that is used in a context that
                indicates a Source dn
            - name: org
              overwrite: true
              type: keyword
              description: This key captures the User organization
            - name: dn_dst
              overwrite: true
              type: keyword
              description: An X.500 (LDAP) Distinguished name that used in a context that
                indicates a Destination dn
            - name: firstname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: lastname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: user_dept
              overwrite: true
              type: keyword
              description: User's Department Names only
            - name: user_sid_src
              overwrite: true
              type: keyword
              description: This key captures Source User Session ID
            - name: federated_sp
              overwrite: true
              type: keyword
              description: This key is the Federated Service Provider. This is the application
                requesting authentication.
            - name: federated_idp
              overwrite: true
              type: keyword
              description: This key is the federated Identity Provider. This is the server
                providing the authentication.
            - name: logon_type_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the textual description of an integer
                logon type as stored in the meta key 'logon.type'.
            - name: middlename
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
            - name: password
              overwrite: true
              type: keyword
              description: This key is for Passwords seen in any session, plain text or encrypted
            - name: host_role
              overwrite: true
              type: keyword
              description: This key should only be used to capture the role of a Host Machine
            - name: ldap
              overwrite: true
              type: keyword
              description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
                t have a clear query or response context"
            - name: ldap_query
              overwrite: true
              type: keyword
              description: This key is the Search criteria from an LDAP search
            - name: ldap_response
              overwrite: true
              type: keyword
              description: This key is to capture Results from an LDAP search
            - name: owner
              overwrite: true
              type: keyword
              description: This is used to capture username the process or service is running
                as, the author of the task
            - name: service_account
              overwrite: true
              type: keyword
              description: This key is a windows specific key, used for capturing name of
                the account a service (referenced in the event) is running under. Legacy Usage
          - name: email
            overwrite: true
            type: group
            fields:
            - name: email_dst
              overwrite: true
              type: keyword
              description: This key is used to capture the Destination email address only,
                when the destination context is not clear use email
            - name: email_src
              overwrite: true
              type: keyword
              description: This key is used to capture the source email address only, when
                the source context is not clear use email
            - name: subject
              overwrite: true
              type: keyword
              description: This key is used to capture the subject string from an Email only.
            - name: email
              overwrite: true
              type: keyword
              description: This key is used to capture a generic email address where the source
                or destination context is not clear
            - name: trans_from
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: trans_to
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
          - name: file
            overwrite: true
            type: group
            fields:
            - name: privilege
              overwrite: true
              type: keyword
              description: Deprecated, use permissions
            - name: attachment
              overwrite: true
              type: keyword
              description: This key captures the attachment file name
            - name: filesystem
              overwrite: true
              type: keyword
            - name: binary
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: filename_dst
              overwrite: true
              type: keyword
              description: This is used to capture name of the file targeted by the action
            - name: filename_src
              overwrite: true
              type: keyword
              description: This is used to capture name of the parent filename, the file which
                performed the action
            - name: filename_tmp
              overwrite: true
              type: keyword
            - name: directory_dst
              overwrite: true
              type: keyword
              description: <span>This key is used to capture the directory of the target process
                or file</span>
            - name: directory_src
              overwrite: true
              type: keyword
              description: This key is used to capture the directory of the source process
                or file
            - name: file_entropy
              overwrite: true
              type: double
              description: This is used to capture entropy vale of a file
            - name: file_vendor
              overwrite: true
              type: keyword
              description: This is used to capture Company name of file located in version_info
            - name: task_name
              overwrite: true
              type: keyword
              description: This is used to capture name of the task
          - name: web
            overwrite: true
            type: group
            fields:
            - name: fqdn
              overwrite: true
              type: keyword
              description: Fully Qualified Domain Names
            - name: web_cookie
              overwrite: true
              type: keyword
              description: This key is used to capture the Web cookies specifically.
            - name: alias_host
              overwrite: true
              type: keyword
            - name: reputation_num
              overwrite: true
              type: double
              description: Reputation Number of an entity. Typically used for Web Domains
            - name: web_ref_domain
              overwrite: true
              type: keyword
              description: Web referer's domain
            - name: web_ref_query
              overwrite: true
              type: keyword
              description: This key captures Web referer's query portion of the URL
            - name: remote_domain
              overwrite: true
              type: keyword
            - name: web_ref_page
              overwrite: true
              type: keyword
              description: This key captures Web referer's page information
            - name: web_ref_root
              overwrite: true
              type: keyword
              description: Web referer's root URL path
            - name: cn_asn_dst
              overwrite: true
              type: keyword
            - name: cn_rpackets
              overwrite: true
              type: keyword
            - name: urlpage
              overwrite: true
              type: keyword
            - name: urlroot
              overwrite: true
              type: keyword
            - name: p_url
              overwrite: true
              type: keyword
            - name: p_user_agent
              overwrite: true
              type: keyword
            - name: p_web_cookie
              overwrite: true
              type: keyword
            - name: p_web_method
              overwrite: true
              type: keyword
            - name: p_web_referer
              overwrite: true
              type: keyword
            - name: web_extension_tmp
              overwrite: true
              type: keyword
            - name: web_page
              overwrite: true
              type: keyword
          - name: threat
            overwrite: true
            type: group
            fields:
            - name: threat_category
              overwrite: true
              type: keyword
              description: This key captures Threat Name/Threat Category/Categorization of
                alert
            - name: threat_desc
              overwrite: true
              type: keyword
              description: This key is used to capture the threat description from the session
                directly or inferred
            - name: alert
              overwrite: true
              type: keyword
              description: This key is used to capture name of the alert
            - name: threat_source
              overwrite: true
              type: keyword
              description: This key is used to capture source of the threat
          - name: crypto
            overwrite: true
            type: group
            fields:
            - name: crypto
              overwrite: true
              type: keyword
              description: This key is used to capture the Encryption Type or Encryption Key
                only
            - name: cipher_src
              overwrite: true
              type: keyword
              description: This key is for Source (Client) Cipher
            - name: cert_subject
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate organization only
            - name: peer
              overwrite: true
              type: keyword
              description: This key is for Encryption peer's IP Address
            - name: cipher_size_src
              overwrite: true
              type: long
              description: This key captures Source (Client) Cipher Size
            - name: ike
              overwrite: true
              type: keyword
              description: IKE negotiation phase.
            - name: scheme
              overwrite: true
              type: keyword
              description: This key captures the Encryption scheme used
            - name: peer_id
              overwrite: true
              type: keyword
              description: "This key is for Encryption peer\u2019s identity"
            - name: sig_type
              overwrite: true
              type: keyword
              description: This key captures the Signature Type
            - name: cert_issuer
              overwrite: true
              type: keyword
            - name: cert_host_name
              overwrite: true
              type: keyword
              description: Deprecated key defined only in table map.
            - name: cert_error
              overwrite: true
              type: keyword
              description: This key captures the Certificate Error String
            - name: cipher_dst
              overwrite: true
              type: keyword
              description: This key is for Destination (Server) Cipher
            - name: cipher_size_dst
              overwrite: true
              type: long
              description: This key captures Destination (Server) Cipher Size
            - name: ssl_ver_src
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: d_certauth
              overwrite: true
              type: keyword
            - name: s_certauth
              overwrite: true
              type: keyword
            - name: ike_cookie1
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
            - name: ike_cookie2
              overwrite: true
              type: keyword
              description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
            - name: cert_checksum
              overwrite: true
              type: keyword
            - name: cert_host_cat
              overwrite: true
              type: keyword
              description: This key is used for the hostname category value of a certificate
            - name: cert_serial
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate serial number only
            - name: cert_status
              overwrite: true
              type: keyword
              description: This key captures Certificate validation status
            - name: ssl_ver_dst
              overwrite: true
              type: keyword
              description: Deprecated, use version
            - name: cert_keysize
              overwrite: true
              type: keyword
            - name: cert_username
              overwrite: true
              type: keyword
            - name: https_insact
              overwrite: true
              type: keyword
            - name: https_valid
              overwrite: true
              type: keyword
            - name: cert_ca
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate signing authority only
            - name: cert_common
              overwrite: true
              type: keyword
              description: This key is used to capture the Certificate common name only
          - name: wireless
            overwrite: true
            type: group
            fields:
            - name: wlan_ssid
              overwrite: true
              type: keyword
              description: This key is used to capture the ssid of a Wireless Session
            - name: access_point
              overwrite: true
              type: keyword
              description: This key is used to capture the access point name.
            - name: wlan_channel
              overwrite: true
              type: long
              description: This is used to capture the channel names
            - name: wlan_name
              overwrite: true
              type: keyword
              description: This key captures either WLAN number/name
          - name: storage
            overwrite: true
            type: group
            fields:
            - name: disk_volume
              overwrite: true
              type: keyword
              description: A unique name assigned to logical units (volumes) within a physical
                disk
            - name: lun
              overwrite: true
              type: keyword
              description: Logical Unit Number.This key is a very useful concept in Storage.
            - name: pwwn
              overwrite: true
              type: keyword
              description: This uniquely identifies a port on a HBA.
          - name: physical
            overwrite: true
            type: group
            fields:
            - name: org_dst
              overwrite: true
              type: keyword
              description: This is used to capture the destination organization based on the
                GEOPIP Maxmind database.
            - name: org_src
              overwrite: true
              type: keyword
              description: This is used to capture the source organization based on the GEOPIP
                Maxmind database.
          - name: healthcare
            overwrite: true
            type: group
            fields:
            - name: patient_fname
              overwrite: true
              type: keyword
              description: This key is for First Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_id
              overwrite: true
              type: keyword
              description: This key captures the unique ID for a patient
            - name: patient_lname
              overwrite: true
              type: keyword
              description: This key is for Last Names only, this is used for Healthcare predominantly
                to capture Patients information
            - name: patient_mname
              overwrite: true
              type: keyword
              description: This key is for Middle Names only, this is used for Healthcare
                predominantly to capture Patients information
          - name: endpoint
            overwrite: true
            type: group
            fields:
            - name: host_state
              overwrite: true
              type: keyword
              description: This key is used to capture the current state of the machine, such
                as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall
                disabled</strong> and so on
            - name: registry_key
              overwrite: true
              type: keyword
              description: This key captures the path to the registry key
            - name: registry_value
              overwrite: true
              type: keyword
              description: This key captures values or decorators used within a registry entry
- key: aws-cloudwatch
  title: "AWS CloudWatch"
  description: >
    Fields from AWS CloudWatch logs.
  fields:
    - name: awscloudwatch
      deprecated: 9.0.0
      default_field: true
      type: group
      description: >
        Fields from AWS CloudWatch logs.
        Deprecated: Use aws.cloudwatch.* instead
      fields:
        - name: log_group
          type: keyword
          description: >
            The name of the log group to which this event belongs.
            Deprecated: Use aws.cloudwatch.log_group instead
        - name: log_stream
          type: keyword
          description: >
            The name of the log stream to which this event belongs.
            Deprecated: Use aws.cloudwatch.log_stream instead
        - name: ingestion_time
          type: keyword
          description: >
            The time the event was ingested in AWS CloudWatch.
            Deprecated: Use aws.cloudwatch.ingestion_time instead
    - name: aws.cloudwatch
      default_field: true
      type: group
      description: >
        Fields from AWS CloudWatch logs.
      fields:
        - name: log_group
          type: keyword
          description: The name of the log group to which this event belongs.
        - name: log_stream
          type: keyword
          description: The name of the log stream to which this event belongs.
        - name: ingestion_time
          type: keyword
          description: The time the event was ingested in AWS CloudWatch.
- key: s3
  title: "s3"
  description: >
    S3 fields from s3 input.
  release: ga
  fields:
    - name: bucket.name
      default_field: true
      type: keyword
      description: >
        Name of the S3 bucket that this log retrieved from.
    - name: bucket.arn
      default_field: true
      type: keyword
      description: >
        ARN of the S3 bucket that this log retrieved from.
    - name: object.key
      default_field: true
      type: keyword
      description: >
        Name of the S3 object that this log retrieved from.
    - name: metadata
      default_field: true
      type: flattened
      description:
        AWS S3 object metadata values.
########################################
# This file is generated. Do not modify.
########################################
- key: netflow
  title: "NetFlow"
  description: >
    Fields from NetFlow and IPFIX flows.
  fields:
    - name: netflow
      type: group
      description: >
        Fields from NetFlow and IPFIX.
      fields:
        - name: type
          type: keyword
          description: >
            The type of NetFlow record described by this event.

        - name: exporter
          type: group
          description: >
            Metadata related to the exporter device that generated this record.
          fields:
            - name: address
              type: keyword
              description: >
                Exporter's network address in IP:port format.

            - name: source_id
              type: long
              description: >
                Observation domain ID to which this record belongs.

            - name: timestamp
              type: date
              description: >
                Time and date of export.

            - name: uptime_millis
              type: long
              description: >
                How long the exporter process has been running, in milliseconds.

            - name: version
              type: integer
              description: >
                NetFlow version used.

        - name: absolute_error
          type: double

        - name: address_pool_high_threshold
          type: long

        - name: address_pool_low_threshold
          type: long

        - name: address_port_mapping_high_threshold
          type: long

        - name: address_port_mapping_low_threshold
          type: long

        - name: address_port_mapping_per_user_high_threshold
          type: long

        - name: afc_protocol
          type: integer

        - name: afc_protocol_name
          type: keyword

        - name: anonymization_flags
          type: integer

        - name: anonymization_technique
          type: integer

        - name: application_business-relevance
          type: long

        - name: application_category_name
          type: keyword

        - name: application_description
          type: keyword

        - name: application_group_name
          type: keyword

        - name: application_http_uri_statistics
          type: short

        - name: application_http_user-agent
          type: short

        - name: application_id
          type: short

        - name: application_name
          type: keyword

        - name: application_sub_category_name
          type: keyword

        - name: application_traffic-class
          type: long

        - name: art_client_network_time_maximum
          type: long

        - name: art_client_network_time_minimum
          type: long

        - name: art_client_network_time_sum
          type: long

        - name: art_clientpackets
          type: long

        - name: art_count_late_responses
          type: long

        - name: art_count_new_connections
          type: long

        - name: art_count_responses
          type: long

        - name: art_count_responses_histogram_bucket1
          type: long

        - name: art_count_responses_histogram_bucket2
          type: long

        - name: art_count_responses_histogram_bucket3
          type: long

        - name: art_count_responses_histogram_bucket4
          type: long

        - name: art_count_responses_histogram_bucket5
          type: long

        - name: art_count_responses_histogram_bucket6
          type: long

        - name: art_count_responses_histogram_bucket7
          type: long

        - name: art_count_retransmissions
          type: long

        - name: art_count_transactions
          type: long

        - name: art_network_time_maximum
          type: long

        - name: art_network_time_minimum
          type: long

        - name: art_network_time_sum
          type: long

        - name: art_response_time_maximum
          type: long

        - name: art_response_time_minimum
          type: long

        - name: art_response_time_sum
          type: long

        - name: art_server_network_time_maximum
          type: long

        - name: art_server_network_time_minimum
          type: long

        - name: art_server_network_time_sum
          type: long

        - name: art_server_response_time_maximum
          type: long

        - name: art_server_response_time_minimum
          type: long

        - name: art_server_response_time_sum
          type: long

        - name: art_serverpackets
          type: long

        - name: art_total_response_time_maximum
          type: long

        - name: art_total_response_time_minimum
          type: long

        - name: art_total_response_time_sum
          type: long

        - name: art_total_transaction_time_maximum
          type: long

        - name: art_total_transaction_time_minimum
          type: long

        - name: art_total_transaction_time_sum
          type: long

        - name: assembled_fragment_count
          type: long

        - name: audit_counter
          type: long

        - name: average_interarrival_time
          type: long

        - name: bgp_destination_as_number
          type: long

        - name: bgp_next_adjacent_as_number
          type: long

        - name: bgp_next_hop_ipv4_address
          type: ip

        - name: bgp_next_hop_ipv6_address
          type: ip

        - name: bgp_prev_adjacent_as_number
          type: long

        - name: bgp_source_as_number
          type: long

        - name: bgp_validity_state
          type: short

        - name: biflow_direction
          type: short

        - name: bind_ipv4_address
          type: ip

        - name: bind_transport_port
          type: integer

        - name: class_id
          type: long

        - name: class_name
          type: keyword

        - name: classification_engine_id
          type: short

        - name: collection_time_milliseconds
          type: date

        - name: collector_certificate
          type: short

        - name: collector_ipv4_address
          type: ip

        - name: collector_ipv6_address
          type: ip

        - name: collector_transport_port
          type: integer

        - name: common_properties_id
          type: long

        - name: confidence_level
          type: double

        - name: conn_ipv4_address
          type: ip

        - name: conn_transport_port
          type: integer

        - name: connection_sum_duration_seconds
          type: long

        - name: connection_transaction_id
          type: long

        - name: conntrack_id
          type: long

        - name: data_byte_count
          type: long

        - name: data_link_frame_section
          type: short

        - name: data_link_frame_size
          type: integer

        - name: data_link_frame_type
          type: integer

        - name: data_records_reliability
          type: boolean

        - name: delta_flow_count
          type: long

        - name: destination_ipv4_address
          type: ip

        - name: destination_ipv4_prefix
          type: ip

        - name: destination_ipv4_prefix_length
          type: short

        - name: destination_ipv6_address
          type: ip

        - name: destination_ipv6_prefix
          type: ip

        - name: destination_ipv6_prefix_length
          type: short

        - name: destination_mac_address
          type: keyword

        - name: destination_transport_port
          type: integer

        - name: digest_hash_value
          type: long

        - name: distinct_count_of_destination_ip_address
          type: long

        - name: distinct_count_of_destination_ipv4_address
          type: long

        - name: distinct_count_of_destination_ipv6_address
          type: long

        - name: distinct_count_of_source_ip_address
          type: long

        - name: distinct_count_of_source_ipv4_address
          type: long

        - name: distinct_count_of_source_ipv6_address
          type: long

        - name: dns_authoritative
          type: short

        - name: dns_cname
          type: keyword

        - name: dns_id
          type: integer

        - name: dns_mx_exchange
          type: keyword

        - name: dns_mx_preference
          type: integer

        - name: dns_nsd_name
          type: keyword

        - name: dns_nx_domain
          type: short

        - name: dns_ptrd_name
          type: keyword

        - name: dns_qname
          type: keyword

        - name: dns_qr_type
          type: integer

        - name: dns_query_response
          type: short

        - name: dns_rr_section
          type: short

        - name: dns_soa_expire
          type: long

        - name: dns_soa_minimum
          type: long

        - name: dns_soa_refresh
          type: long

        - name: dns_soa_retry
          type: long

        - name: dns_soa_serial
          type: long

        - name: dns_soam_name
          type: keyword

        - name: dns_soar_name
          type: keyword

        - name: dns_srv_port
          type: integer

        - name: dns_srv_priority
          type: integer

        - name: dns_srv_target
          type: integer

        - name: dns_srv_weight
          type: integer

        - name: dns_ttl
          type: long

        - name: dns_txt_data
          type: keyword

        - name: dot1q_customer_dei
          type: boolean

        - name: dot1q_customer_destination_mac_address
          type: keyword

        - name: dot1q_customer_priority
          type: short

        - name: dot1q_customer_source_mac_address
          type: keyword

        - name: dot1q_customer_vlan_id
          type: integer

        - name: dot1q_dei
          type: boolean

        - name: dot1q_priority
          type: short

        - name: dot1q_service_instance_id
          type: long

        - name: dot1q_service_instance_priority
          type: short

        - name: dot1q_service_instance_tag
          type: short

        - name: dot1q_vlan_id
          type: integer

        - name: dropped_layer2_octet_delta_count
          type: long

        - name: dropped_layer2_octet_total_count
          type: long

        - name: dropped_octet_delta_count
          type: long

        - name: dropped_octet_total_count
          type: long

        - name: dropped_packet_delta_count
          type: long

        - name: dropped_packet_total_count
          type: long

        - name: dst_traffic_index
          type: long

        - name: egress_broadcast_packet_total_count
          type: long

        - name: egress_interface
          type: long

        - name: egress_interface_type
          type: long

        - name: egress_physical_interface
          type: long

        - name: egress_unicast_packet_total_count
          type: long

        - name: egress_vrfid
          type: long

        - name: encrypted_technology
          type: keyword

        - name: engine_id
          type: short

        - name: engine_type
          type: short

        - name: ethernet_header_length
          type: short

        - name: ethernet_payload_length
          type: integer

        - name: ethernet_total_length
          type: integer

        - name: ethernet_type
          type: integer

        - name: expired_fragment_count
          type: long

        - name: export_interface
          type: long

        - name: export_protocol_version
          type: short

        - name: export_sctp_stream_id
          type: integer

        - name: export_transport_protocol
          type: short

        - name: exported_flow_record_total_count
          type: long

        - name: exported_message_total_count
          type: long

        - name: exported_octet_total_count
          type: long

        - name: exporter_certificate
          type: short

        - name: exporter_ipv4_address
          type: ip

        - name: exporter_ipv6_address
          type: ip

        - name: exporter_transport_port
          type: integer

        - name: exporting_process_id
          type: long

        - name: external_address_realm
          type: short

        - name: firewall_event
          type: short

        - name: first_eight_non_empty_packet_directions
          type: short

        - name: first_non_empty_packet_size
          type: integer

        - name: first_packet_banner
          type: keyword

        - name: flags_and_sampler_id
          type: long

        - name: flow_active_timeout
          type: integer

        - name: flow_attributes
          type: integer

        - name: flow_direction
          type: short

        - name: flow_duration_microseconds
          type: long

        - name: flow_duration_milliseconds
          type: long

        - name: flow_end_delta_microseconds
          type: long

        - name: flow_end_microseconds
          type: date

        - name: flow_end_milliseconds
          type: date

        - name: flow_end_nanoseconds
          type: date

        - name: flow_end_reason
          type: short

        - name: flow_end_seconds
          type: date

        - name: flow_end_sys_up_time
          type: long

        - name: flow_id
          type: long

        - name: flow_idle_timeout
          type: integer

        - name: flow_key_indicator
          type: long

        - name: flow_label_ipv6
          type: long

        - name: flow_sampling_time_interval
          type: long

        - name: flow_sampling_time_spacing
          type: long

        - name: flow_selected_flow_delta_count
          type: long

        - name: flow_selected_octet_delta_count
          type: long

        - name: flow_selected_packet_delta_count
          type: long

        - name: flow_selector_algorithm
          type: integer

        - name: flow_start_delta_microseconds
          type: long

        - name: flow_start_microseconds
          type: date

        - name: flow_start_milliseconds
          type: date

        - name: flow_start_nanoseconds
          type: date

        - name: flow_start_seconds
          type: date

        - name: flow_start_sys_up_time
          type: long

        - name: flow_table_flush_event_count
          type: long

        - name: flow_table_peak_count
          type: long

        - name: forwarding_status
          type: short

        - name: fragment_flags
          type: short

        - name: fragment_identification
          type: long

        - name: fragment_offset
          type: integer

        - name: fw_blackout_secs
          type: long

        - name: fw_configured_value
          type: long

        - name: fw_cts_src_sgt
          type: long

        - name: fw_event_level
          type: long

        - name: fw_event_level_id
          type: long

        - name: fw_ext_event
          type: integer

        - name: fw_ext_event_alt
          type: long

        - name: fw_ext_event_desc
          type: keyword

        - name: fw_half_open_count
          type: long

        - name: fw_half_open_high
          type: long

        - name: fw_half_open_rate
          type: long

        - name: fw_max_sessions
          type: long

        - name: fw_rule
          type: keyword

        - name: fw_summary_pkt_count
          type: long

        - name: fw_zone_pair_id
          type: long

        - name: fw_zone_pair_name
          type: long

        - name: global_address_mapping_high_threshold
          type: long

        - name: gre_key
          type: long

        - name: hash_digest_output
          type: boolean

        - name: hash_flow_domain
          type: integer

        - name: hash_initialiser_value
          type: long

        - name: hash_ip_payload_offset
          type: long

        - name: hash_ip_payload_size
          type: long

        - name: hash_output_range_max
          type: long

        - name: hash_output_range_min
          type: long

        - name: hash_selected_range_max
          type: long

        - name: hash_selected_range_min
          type: long

        - name: http_content_type
          type: keyword

        - name: http_message_version
          type: keyword

        - name: http_reason_phrase
          type: keyword

        - name: http_request_host
          type: keyword

        - name: http_request_method
          type: keyword

        - name: http_request_target
          type: keyword

        - name: http_status_code
          type: integer

        - name: http_user_agent
          type: keyword

        - name: icmp_code_ipv4
          type: short

        - name: icmp_code_ipv6
          type: short

        - name: icmp_type_code_ipv4
          type: integer

        - name: icmp_type_code_ipv6
          type: integer

        - name: icmp_type_ipv4
          type: short

        - name: icmp_type_ipv6
          type: short

        - name: igmp_type
          type: short

        - name: ignored_data_record_total_count
          type: long

        - name: ignored_layer2_frame_total_count
          type: long

        - name: ignored_layer2_octet_total_count
          type: long

        - name: ignored_octet_total_count
          type: long

        - name: ignored_packet_total_count
          type: long

        - name: information_element_data_type
          type: short

        - name: information_element_description
          type: keyword

        - name: information_element_id
          type: integer

        - name: information_element_index
          type: integer

        - name: information_element_name
          type: keyword

        - name: information_element_range_begin
          type: long

        - name: information_element_range_end
          type: long

        - name: information_element_semantics
          type: short

        - name: information_element_units
          type: integer

        - name: ingress_broadcast_packet_total_count
          type: long

        - name: ingress_interface
          type: long

        - name: ingress_interface_type
          type: long

        - name: ingress_multicast_packet_total_count
          type: long

        - name: ingress_physical_interface
          type: long

        - name: ingress_unicast_packet_total_count
          type: long

        - name: ingress_vrfid
          type: long

        - name: initial_tcp_flags
          type: short

        - name: initiator_octets
          type: long

        - name: initiator_packets
          type: long

        - name: interface_description
          type: keyword

        - name: interface_name
          type: keyword

        - name: intermediate_process_id
          type: long

        - name: internal_address_realm
          type: short

        - name: ip_class_of_service
          type: short

        - name: ip_diff_serv_code_point
          type: short

        - name: ip_header_length
          type: short

        - name: ip_header_packet_section
          type: short

        - name: ip_next_hop_ipv4_address
          type: ip

        - name: ip_next_hop_ipv6_address
          type: ip

        - name: ip_payload_length
          type: long

        - name: ip_payload_packet_section
          type: short

        - name: ip_precedence
          type: short

        - name: ip_sec_spi
          type: long

        - name: ip_total_length
          type: long

        - name: ip_ttl
          type: short

        - name: ip_version
          type: short

        - name: ipv4_ihl
          type: short

        - name: ipv4_options
          type: long

        - name: ipv4_router_sc
          type: ip

        - name: ipv6_extension_headers
          type: long

        - name: is_multicast
          type: short

        - name: ixia_browser_id
          type: short

        - name: ixia_browser_name
          type: keyword

        - name: ixia_device_id
          type: short

        - name: ixia_device_name
          type: keyword

        - name: ixia_dns_answer
          type: keyword

        - name: ixia_dns_classes
          type: keyword

        - name: ixia_dns_query
          type: keyword

        - name: ixia_dns_record_txt
          type: keyword

        - name: ixia_dst_as_name
          type: keyword

        - name: ixia_dst_city_name
          type: keyword

        - name: ixia_dst_country_code
          type: keyword

        - name: ixia_dst_country_name
          type: keyword

        - name: ixia_dst_latitude
          type: float

        - name: ixia_dst_longitude
          type: float

        - name: ixia_dst_region_code
          type: keyword

        - name: ixia_dst_region_node
          type: keyword

        - name: ixia_encrypt_cipher
          type: keyword

        - name: ixia_encrypt_key_length
          type: integer

        - name: ixia_encrypt_type
          type: keyword

        - name: ixia_http_host_name
          type: keyword

        - name: ixia_http_uri
          type: keyword

        - name: ixia_http_user_agent
          type: keyword

        - name: ixia_imsi_subscriber
          type: keyword

        - name: ixia_l7_app_id
          type: long

        - name: ixia_l7_app_name
          type: keyword

        - name: ixia_latency
          type: long

        - name: ixia_rev_octet_delta_count
          type: long

        - name: ixia_rev_packet_delta_count
          type: long

        - name: ixia_src_as_name
          type: keyword

        - name: ixia_src_city_name
          type: keyword

        - name: ixia_src_country_code
          type: keyword

        - name: ixia_src_country_name
          type: keyword

        - name: ixia_src_latitude
          type: float

        - name: ixia_src_longitude
          type: float

        - name: ixia_src_region_code
          type: keyword

        - name: ixia_src_region_name
          type: keyword

        - name: ixia_threat_ipv4
          type: ip

        - name: ixia_threat_ipv6
          type: ip

        - name: ixia_threat_type
          type: keyword

        - name: large_packet_count
          type: long

        - name: layer2_frame_delta_count
          type: long

        - name: layer2_frame_total_count
          type: long

        - name: layer2_octet_delta_count
          type: long

        - name: layer2_octet_delta_sum_of_squares
          type: long

        - name: layer2_octet_total_count
          type: long

        - name: layer2_octet_total_sum_of_squares
          type: long

        - name: layer2_segment_id
          type: long

        - name: layer2packet_section_data
          type: short

        - name: layer2packet_section_offset
          type: integer

        - name: layer2packet_section_size
          type: integer

        - name: line_card_id
          type: long

        - name: log_op
          type: short

        - name: lower_ci_limit
          type: double

        - name: mark
          type: long

        - name: max_bib_entries
          type: long

        - name: max_entries_per_user
          type: long

        - name: max_export_seconds
          type: date

        - name: max_flow_end_microseconds
          type: date

        - name: max_flow_end_milliseconds
          type: date

        - name: max_flow_end_nanoseconds
          type: date

        - name: max_flow_end_seconds
          type: date

        - name: max_fragments_pending_reassembly
          type: long

        - name: max_packet_size
          type: integer

        - name: max_session_entries
          type: long

        - name: max_subscribers
          type: long

        - name: maximum_ip_total_length
          type: long

        - name: maximum_layer2_total_length
          type: long

        - name: maximum_ttl
          type: short

        - name: mean_flow_rate
          type: long

        - name: mean_packet_rate
          type: long

        - name: message_md5_checksum
          type: short

        - name: message_scope
          type: short

        - name: metering_process_id
          type: long

        - name: metro_evc_id
          type: keyword

        - name: metro_evc_type
          type: short

        - name: mib_capture_time_semantics
          type: short

        - name: mib_context_engine_id
          type: short

        - name: mib_context_name
          type: keyword

        - name: mib_index_indicator
          type: long

        - name: mib_module_name
          type: keyword

        - name: mib_object_description
          type: keyword

        - name: mib_object_identifier
          type: short

        - name: mib_object_name
          type: keyword

        - name: mib_object_syntax
          type: keyword

        - name: mib_object_value_bits
          type: short

        - name: mib_object_value_counter
          type: long

        - name: mib_object_value_gauge
          type: long

        - name: mib_object_value_integer
          type: integer

        - name: mib_object_value_ip_address
          type: ip

        - name: mib_object_value_octet_string
          type: short

        - name: mib_object_value_oid
          type: short

        - name: mib_object_value_time_ticks
          type: long

        - name: mib_object_value_unsigned
          type: long

        - name: mib_sub_identifier
          type: long

        - name: min_export_seconds
          type: date

        - name: min_flow_start_microseconds
          type: date

        - name: min_flow_start_milliseconds
          type: date

        - name: min_flow_start_nanoseconds
          type: date

        - name: min_flow_start_seconds
          type: date

        - name: minimum_ip_total_length
          type: long

        - name: minimum_layer2_total_length
          type: long

        - name: minimum_ttl
          type: short

        - name: mobile_imsi
          type: keyword

        - name: mobile_msisdn
          type: keyword

        - name: monitoring_interval_end_milli_seconds
          type: date

        - name: monitoring_interval_start_milli_seconds
          type: date

        - name: mpls_label_stack_depth
          type: long

        - name: mpls_label_stack_length
          type: long

        - name: mpls_label_stack_section
          type: short

        - name: mpls_label_stack_section10
          type: short

        - name: mpls_label_stack_section2
          type: short

        - name: mpls_label_stack_section3
          type: short

        - name: mpls_label_stack_section4
          type: short

        - name: mpls_label_stack_section5
          type: short

        - name: mpls_label_stack_section6
          type: short

        - name: mpls_label_stack_section7
          type: short

        - name: mpls_label_stack_section8
          type: short

        - name: mpls_label_stack_section9
          type: short

        - name: mpls_payload_length
          type: long

        - name: mpls_payload_packet_section
          type: short

        - name: mpls_top_label_exp
          type: short

        - name: mpls_top_label_ipv4_address
          type: ip

        - name: mpls_top_label_ipv6_address
          type: ip

        - name: mpls_top_label_prefix_length
          type: short

        - name: mpls_top_label_stack_section
          type: short

        - name: mpls_top_label_ttl
          type: short

        - name: mpls_top_label_type
          type: short

        - name: mpls_vpn_route_distinguisher
          type: short

        - name: mptcp_address_id
          type: short

        - name: mptcp_flags
          type: short

        - name: mptcp_initial_data_sequence_number
          type: long

        - name: mptcp_maximum_segment_size
          type: integer

        - name: mptcp_receiver_token
          type: long

        - name: multicast_replication_factor
          type: long

        - name: nat_event
          type: short

        - name: nat_inside_svcid
          type: integer

        - name: nat_instance_id
          type: long

        - name: nat_originating_address_realm
          type: short

        - name: nat_outside_svcid
          type: integer

        - name: nat_pool_id
          type: long

        - name: nat_pool_name
          type: keyword

        - name: nat_quota_exceeded_event
          type: long

        - name: nat_sub_string
          type: keyword

        - name: nat_threshold_event
          type: long

        - name: nat_type
          type: short

        - name: netscale_ica_client_version
          type: keyword

        - name: netscaler_aaa_username
          type: keyword

        - name: netscaler_app_name
          type: keyword

        - name: netscaler_app_name_app_id
          type: long

        - name: netscaler_app_name_incarnation_number
          type: long

        - name: netscaler_app_template_name
          type: keyword

        - name: netscaler_app_unit_name_app_id
          type: long

        - name: netscaler_application_startup_duration
          type: long

        - name: netscaler_application_startup_time
          type: long

        - name: netscaler_cache_redir_client_connection_core_id
          type: long

        - name: netscaler_cache_redir_client_connection_transaction_id
          type: long

        - name: netscaler_client_rtt
          type: long

        - name: netscaler_connection_chain_hop_count
          type: long

        - name: netscaler_connection_chain_id
          type: short

        - name: netscaler_connection_id
          type: long

        - name: netscaler_current_license_consumed
          type: long

        - name: netscaler_db_clt_host_name
          type: keyword

        - name: netscaler_db_database_name
          type: keyword

        - name: netscaler_db_login_flags
          type: long

        - name: netscaler_db_protocol_name
          type: short

        - name: netscaler_db_req_string
          type: keyword

        - name: netscaler_db_req_type
          type: short

        - name: netscaler_db_resp_length
          type: long

        - name: netscaler_db_resp_status
          type: long

        - name: netscaler_db_resp_status_string
          type: keyword

        - name: netscaler_db_user_name
          type: keyword

        - name: netscaler_flow_flags
          type: long

        - name: netscaler_http_client_interaction_end_time
          type: keyword

        - name: netscaler_http_client_interaction_start_time
          type: keyword

        - name: netscaler_http_client_render_end_time
          type: keyword

        - name: netscaler_http_client_render_start_time
          type: keyword

        - name: netscaler_http_content_type
          type: keyword

        - name: netscaler_http_domain_name
          type: keyword

        - name: netscaler_http_req_authorization
          type: keyword

        - name: netscaler_http_req_cookie
          type: keyword

        - name: netscaler_http_req_forw_fb
          type: long

        - name: netscaler_http_req_forw_lb
          type: long

        - name: netscaler_http_req_host
          type: keyword

        - name: netscaler_http_req_method
          type: keyword

        - name: netscaler_http_req_rcv_fb
          type: long

        - name: netscaler_http_req_rcv_lb
          type: long

        - name: netscaler_http_req_referer
          type: keyword

        - name: netscaler_http_req_url
          type: keyword

        - name: netscaler_http_req_user_agent
          type: keyword

        - name: netscaler_http_req_via
          type: keyword

        - name: netscaler_http_req_xforwarded_for
          type: keyword

        - name: netscaler_http_res_forw_fb
          type: long

        - name: netscaler_http_res_forw_lb
          type: long

        - name: netscaler_http_res_location
          type: keyword

        - name: netscaler_http_res_rcv_fb
          type: long

        - name: netscaler_http_res_rcv_lb
          type: long

        - name: netscaler_http_res_set_cookie
          type: keyword

        - name: netscaler_http_res_set_cookie2
          type: keyword

        - name: netscaler_http_rsp_len
          type: long

        - name: netscaler_http_rsp_status
          type: integer

        - name: netscaler_ica_app_module_path
          type: keyword

        - name: netscaler_ica_app_process_id
          type: long

        - name: netscaler_ica_application_name
          type: keyword

        - name: netscaler_ica_application_termination_time
          type: long

        - name: netscaler_ica_application_termination_type
          type: integer

        - name: netscaler_ica_channel_id1
          type: long

        - name: netscaler_ica_channel_id1_bytes
          type: long

        - name: netscaler_ica_channel_id2
          type: long

        - name: netscaler_ica_channel_id2_bytes
          type: long

        - name: netscaler_ica_channel_id3
          type: long

        - name: netscaler_ica_channel_id3_bytes
          type: long

        - name: netscaler_ica_channel_id4
          type: long

        - name: netscaler_ica_channel_id4_bytes
          type: long

        - name: netscaler_ica_channel_id5
          type: long

        - name: netscaler_ica_channel_id5_bytes
          type: long

        - name: netscaler_ica_client_host_name
          type: keyword

        - name: netscaler_ica_client_ip
          type: ip

        - name: netscaler_ica_client_launcher
          type: integer

        - name: netscaler_ica_client_side_rto_count
          type: integer

        - name: netscaler_ica_client_side_window_size
          type: integer

        - name: netscaler_ica_client_type
          type: integer

        - name: netscaler_ica_clientside_delay
          type: long

        - name: netscaler_ica_clientside_jitter
          type: long

        - name: netscaler_ica_clientside_packets_retransmit
          type: integer

        - name: netscaler_ica_clientside_rtt
          type: long

        - name: netscaler_ica_clientside_rx_bytes
          type: long

        - name: netscaler_ica_clientside_srtt
          type: long

        - name: netscaler_ica_clientside_tx_bytes
          type: long

        - name: netscaler_ica_connection_priority
          type: integer

        - name: netscaler_ica_device_serial_no
          type: long

        - name: netscaler_ica_domain_name
          type: keyword

        - name: netscaler_ica_flags
          type: long

        - name: netscaler_ica_host_delay
          type: long

        - name: netscaler_ica_l7_client_latency
          type: long

        - name: netscaler_ica_l7_server_latency
          type: long

        - name: netscaler_ica_launch_mechanism
          type: integer

        - name: netscaler_ica_network_update_end_time
          type: long

        - name: netscaler_ica_network_update_start_time
          type: long

        - name: netscaler_ica_rtt
          type: long

        - name: netscaler_ica_server_name
          type: keyword

        - name: netscaler_ica_server_side_rto_count
          type: integer

        - name: netscaler_ica_server_side_window_size
          type: integer

        - name: netscaler_ica_serverside_delay
          type: long

        - name: netscaler_ica_serverside_jitter
          type: long

        - name: netscaler_ica_serverside_packets_retransmit
          type: integer

        - name: netscaler_ica_serverside_rtt
          type: long

        - name: netscaler_ica_serverside_srtt
          type: long

        - name: netscaler_ica_session_end_time
          type: long

        - name: netscaler_ica_session_guid
          type: short

        - name: netscaler_ica_session_reconnects
          type: short

        - name: netscaler_ica_session_setup_time
          type: long

        - name: netscaler_ica_session_update_begin_sec
          type: long

        - name: netscaler_ica_session_update_end_sec
          type: long

        - name: netscaler_ica_username
          type: keyword

        - name: netscaler_license_type
          type: short

        - name: netscaler_main_page_core_id
          type: long

        - name: netscaler_main_page_id
          type: long

        - name: netscaler_max_license_count
          type: long

        - name: netscaler_msi_client_cookie
          type: short

        - name: netscaler_round_trip_time
          type: long

        - name: netscaler_server_ttfb
          type: long

        - name: netscaler_server_ttlb
          type: long

        - name: netscaler_syslog_message
          type: keyword

        - name: netscaler_syslog_priority
          type: short

        - name: netscaler_syslog_timestamp
          type: long

        - name: netscaler_transaction_id
          type: long

        - name: netscaler_unknown270
          type: long

        - name: netscaler_unknown271
          type: long

        - name: netscaler_unknown272
          type: long

        - name: netscaler_unknown273
          type: long

        - name: netscaler_unknown274
          type: long

        - name: netscaler_unknown275
          type: long

        - name: netscaler_unknown276
          type: long

        - name: netscaler_unknown277
          type: long

        - name: netscaler_unknown278
          type: long

        - name: netscaler_unknown279
          type: long

        - name: netscaler_unknown280
          type: long

        - name: netscaler_unknown281
          type: long

        - name: netscaler_unknown282
          type: long

        - name: netscaler_unknown283
          type: long

        - name: netscaler_unknown284
          type: long

        - name: netscaler_unknown285
          type: long

        - name: netscaler_unknown286
          type: long

        - name: netscaler_unknown287
          type: long

        - name: netscaler_unknown288
          type: long

        - name: netscaler_unknown289
          type: long

        - name: netscaler_unknown290
          type: long

        - name: netscaler_unknown291
          type: long

        - name: netscaler_unknown292
          type: long

        - name: netscaler_unknown293
          type: long

        - name: netscaler_unknown294
          type: long

        - name: netscaler_unknown295
          type: long

        - name: netscaler_unknown296
          type: long

        - name: netscaler_unknown297
          type: long

        - name: netscaler_unknown298
          type: long

        - name: netscaler_unknown299
          type: long

        - name: netscaler_unknown300
          type: long

        - name: netscaler_unknown301
          type: long

        - name: netscaler_unknown302
          type: long

        - name: netscaler_unknown303
          type: long

        - name: netscaler_unknown304
          type: long

        - name: netscaler_unknown305
          type: long

        - name: netscaler_unknown306
          type: long

        - name: netscaler_unknown307
          type: long

        - name: netscaler_unknown308
          type: long

        - name: netscaler_unknown309
          type: long

        - name: netscaler_unknown310
          type: long

        - name: netscaler_unknown311
          type: long

        - name: netscaler_unknown312
          type: long

        - name: netscaler_unknown313
          type: long

        - name: netscaler_unknown314
          type: long

        - name: netscaler_unknown315
          type: long

        - name: netscaler_unknown316
          type: keyword

        - name: netscaler_unknown317
          type: long

        - name: netscaler_unknown318
          type: long

        - name: netscaler_unknown319
          type: keyword

        - name: netscaler_unknown320
          type: integer

        - name: netscaler_unknown321
          type: long

        - name: netscaler_unknown322
          type: long

        - name: netscaler_unknown323
          type: integer

        - name: netscaler_unknown324
          type: integer

        - name: netscaler_unknown325
          type: integer

        - name: netscaler_unknown326
          type: integer

        - name: netscaler_unknown327
          type: long

        - name: netscaler_unknown328
          type: integer

        - name: netscaler_unknown329
          type: integer

        - name: netscaler_unknown330
          type: integer

        - name: netscaler_unknown331
          type: integer

        - name: netscaler_unknown332
          type: long

        - name: netscaler_unknown333
          type: keyword

        - name: netscaler_unknown334
          type: keyword

        - name: netscaler_unknown335
          type: long

        - name: netscaler_unknown336
          type: long

        - name: netscaler_unknown337
          type: long

        - name: netscaler_unknown338
          type: long

        - name: netscaler_unknown339
          type: long

        - name: netscaler_unknown340
          type: long

        - name: netscaler_unknown341
          type: long

        - name: netscaler_unknown342
          type: long

        - name: netscaler_unknown343
          type: long

        - name: netscaler_unknown344
          type: long

        - name: netscaler_unknown345
          type: long

        - name: netscaler_unknown346
          type: long

        - name: netscaler_unknown347
          type: long

        - name: netscaler_unknown348
          type: integer

        - name: netscaler_unknown349
          type: keyword

        - name: netscaler_unknown350
          type: keyword

        - name: netscaler_unknown351
          type: keyword

        - name: netscaler_unknown352
          type: integer

        - name: netscaler_unknown353
          type: long

        - name: netscaler_unknown354
          type: long

        - name: netscaler_unknown355
          type: long

        - name: netscaler_unknown356
          type: long

        - name: netscaler_unknown357
          type: long

        - name: netscaler_unknown363
          type: short

        - name: netscaler_unknown383
          type: short

        - name: netscaler_unknown391
          type: long

        - name: netscaler_unknown398
          type: long

        - name: netscaler_unknown404
          type: long

        - name: netscaler_unknown405
          type: long

        - name: netscaler_unknown427
          type: long

        - name: netscaler_unknown429
          type: short

        - name: netscaler_unknown432
          type: short

        - name: netscaler_unknown433
          type: short

        - name: netscaler_unknown453
          type: long

        - name: netscaler_unknown465
          type: long

        - name: new_connection_delta_count
          type: long

        - name: next_header_ipv6
          type: short

        - name: non_empty_packet_count
          type: long

        - name: not_sent_flow_total_count
          type: long

        - name: not_sent_layer2_octet_total_count
          type: long

        - name: not_sent_octet_total_count
          type: long

        - name: not_sent_packet_total_count
          type: long

        - name: observation_domain_id
          type: long

        - name: observation_domain_name
          type: keyword

        - name: observation_point_id
          type: long

        - name: observation_point_type
          type: short

        - name: observation_time_microseconds
          type: date

        - name: observation_time_milliseconds
          type: date

        - name: observation_time_nanoseconds
          type: date

        - name: observation_time_seconds
          type: date

        - name: observed_flow_total_count
          type: long

        - name: octet_delta_count
          type: long

        - name: octet_delta_sum_of_squares
          type: long

        - name: octet_total_count
          type: long

        - name: octet_total_sum_of_squares
          type: long

        - name: opaque_octets
          type: short

        - name: original_exporter_ipv4_address
          type: ip

        - name: original_exporter_ipv6_address
          type: ip

        - name: original_flows_completed
          type: long

        - name: original_flows_initiated
          type: long

        - name: original_flows_present
          type: long

        - name: original_observation_domain_id
          type: long

        - name: os_finger_print
          type: keyword

        - name: os_name
          type: keyword

        - name: os_version
          type: keyword

        - name: p2p_technology
          type: keyword

        - name: packet_delta_count
          type: long

        - name: packet_total_count
          type: long

        - name: padding_octets
          type: short

        - name: payload
          type: keyword

        - name: payload_entropy
          type: short

        - name: payload_length_ipv6
          type: integer

        - name: policy_qos_classification_hierarchy
          type: long

        - name: policy_qos_queue_index
          type: long

        - name: policy_qos_queuedrops
          type: long

        - name: policy_qos_queueindex
          type: long

        - name: port_id
          type: long

        - name: port_range_end
          type: integer

        - name: port_range_num_ports
          type: integer

        - name: port_range_start
          type: integer

        - name: port_range_step_size
          type: integer

        - name: post_destination_mac_address
          type: keyword

        - name: post_dot1q_customer_vlan_id
          type: integer

        - name: post_dot1q_vlan_id
          type: integer

        - name: post_ip_class_of_service
          type: short

        - name: post_ip_diff_serv_code_point
          type: short

        - name: post_ip_precedence
          type: short

        - name: post_layer2_octet_delta_count
          type: long

        - name: post_layer2_octet_total_count
          type: long

        - name: post_mcast_layer2_octet_delta_count
          type: long

        - name: post_mcast_layer2_octet_total_count
          type: long

        - name: post_mcast_octet_delta_count
          type: long

        - name: post_mcast_octet_total_count
          type: long

        - name: post_mcast_packet_delta_count
          type: long

        - name: post_mcast_packet_total_count
          type: long

        - name: post_mpls_top_label_exp
          type: short

        - name: post_napt_destination_transport_port
          type: integer

        - name: post_napt_source_transport_port
          type: integer

        - name: post_nat_destination_ipv4_address
          type: ip

        - name: post_nat_destination_ipv6_address
          type: ip

        - name: post_nat_source_ipv4_address
          type: ip

        - name: post_nat_source_ipv6_address
          type: ip

        - name: post_octet_delta_count
          type: long

        - name: post_octet_total_count
          type: long

        - name: post_packet_delta_count
          type: long

        - name: post_packet_total_count
          type: long

        - name: post_source_mac_address
          type: keyword

        - name: post_vlan_id
          type: integer

        - name: private_enterprise_number
          type: long

        - name: procera_apn
          type: keyword

        - name: procera_base_service
          type: keyword

        - name: procera_content_categories
          type: keyword

        - name: procera_device_id
          type: long

        - name: procera_external_rtt
          type: integer

        - name: procera_flow_behavior
          type: keyword

        - name: procera_ggsn
          type: keyword

        - name: procera_http_content_type
          type: keyword

        - name: procera_http_file_length
          type: long

        - name: procera_http_language
          type: keyword

        - name: procera_http_location
          type: keyword

        - name: procera_http_referer
          type: keyword

        - name: procera_http_request_method
          type: keyword

        - name: procera_http_request_version
          type: keyword

        - name: procera_http_response_status
          type: integer

        - name: procera_http_url
          type: keyword

        - name: procera_http_user_agent
          type: keyword

        - name: procera_imsi
          type: long

        - name: procera_incoming_octets
          type: long

        - name: procera_incoming_packets
          type: long

        - name: procera_incoming_shaping_drops
          type: long

        - name: procera_incoming_shaping_latency
          type: integer

        - name: procera_internal_rtt
          type: integer

        - name: procera_local_ipv4_host
          type: ip

        - name: procera_local_ipv6_host
          type: ip

        - name: procera_msisdn
          type: long

        - name: procera_outgoing_octets
          type: long

        - name: procera_outgoing_packets
          type: long

        - name: procera_outgoing_shaping_drops
          type: long

        - name: procera_outgoing_shaping_latency
          type: integer

        - name: procera_property
          type: keyword

        - name: procera_qoe_incoming_external
          type: float

        - name: procera_qoe_incoming_internal
          type: float

        - name: procera_qoe_outgoing_external
          type: float

        - name: procera_qoe_outgoing_internal
          type: float

        - name: procera_rat
          type: keyword

        - name: procera_remote_ipv4_host
          type: ip

        - name: procera_remote_ipv6_host
          type: ip

        - name: procera_rnc
          type: integer

        - name: procera_server_hostname
          type: keyword

        - name: procera_service
          type: keyword

        - name: procera_sgsn
          type: keyword

        - name: procera_subscriber_identifier
          type: keyword

        - name: procera_template_name
          type: keyword

        - name: procera_user_location_information
          type: keyword

        - name: protocol_identifier
          type: short

        - name: pseudo_wire_control_word
          type: long

        - name: pseudo_wire_destination_ipv4_address
          type: ip

        - name: pseudo_wire_id
          type: long

        - name: pseudo_wire_type
          type: integer

        - name: reason
          type: long

        - name: reason_text
          type: keyword

        - name: relative_error
          type: double

        - name: responder_octets
          type: long

        - name: responder_packets
          type: long

        - name: reverse_absolute_error
          type: double

        - name: reverse_anonymization_flags
          type: integer

        - name: reverse_anonymization_technique
          type: integer

        - name: reverse_application_category_name
          type: keyword

        - name: reverse_application_description
          type: keyword

        - name: reverse_application_group_name
          type: keyword

        - name: reverse_application_id
          type: keyword

        - name: reverse_application_name
          type: keyword

        - name: reverse_application_sub_category_name
          type: keyword

        - name: reverse_average_interarrival_time
          type: long

        - name: reverse_bgp_destination_as_number
          type: long

        - name: reverse_bgp_next_adjacent_as_number
          type: long

        - name: reverse_bgp_next_hop_ipv4_address
          type: ip

        - name: reverse_bgp_next_hop_ipv6_address
          type: ip

        - name: reverse_bgp_prev_adjacent_as_number
          type: long

        - name: reverse_bgp_source_as_number
          type: long

        - name: reverse_bgp_validity_state
          type: short

        - name: reverse_class_id
          type: short

        - name: reverse_class_name
          type: keyword

        - name: reverse_classification_engine_id
          type: short

        - name: reverse_collection_time_milliseconds
          type: long

        - name: reverse_collector_certificate
          type: keyword

        - name: reverse_confidence_level
          type: double

        - name: reverse_connection_sum_duration_seconds
          type: long

        - name: reverse_connection_transaction_id
          type: long

        - name: reverse_data_byte_count
          type: long

        - name: reverse_data_link_frame_section
          type: keyword

        - name: reverse_data_link_frame_size
          type: integer

        - name: reverse_data_link_frame_type
          type: integer

        - name: reverse_data_records_reliability
          type: short

        - name: reverse_delta_flow_count
          type: long

        - name: reverse_destination_ipv4_address
          type: ip

        - name: reverse_destination_ipv4_prefix
          type: ip

        - name: reverse_destination_ipv4_prefix_length
          type: short

        - name: reverse_destination_ipv6_address
          type: ip

        - name: reverse_destination_ipv6_prefix
          type: ip

        - name: reverse_destination_ipv6_prefix_length
          type: short

        - name: reverse_destination_mac_address
          type: keyword

        - name: reverse_destination_transport_port
          type: integer

        - name: reverse_digest_hash_value
          type: long

        - name: reverse_distinct_count_of_destination_ip_address
          type: long

        - name: reverse_distinct_count_of_destination_ipv4_address
          type: long

        - name: reverse_distinct_count_of_destination_ipv6_address
          type: long

        - name: reverse_distinct_count_of_source_ip_address
          type: long

        - name: reverse_distinct_count_of_source_ipv4_address
          type: long

        - name: reverse_distinct_count_of_source_ipv6_address
          type: long

        - name: reverse_dot1q_customer_dei
          type: short

        - name: reverse_dot1q_customer_destination_mac_address
          type: keyword

        - name: reverse_dot1q_customer_priority
          type: short

        - name: reverse_dot1q_customer_source_mac_address
          type: keyword

        - name: reverse_dot1q_customer_vlan_id
          type: integer

        - name: reverse_dot1q_dei
          type: short

        - name: reverse_dot1q_priority
          type: short

        - name: reverse_dot1q_service_instance_id
          type: long

        - name: reverse_dot1q_service_instance_priority
          type: short

        - name: reverse_dot1q_service_instance_tag
          type: keyword

        - name: reverse_dot1q_vlan_id
          type: integer

        - name: reverse_dropped_layer2_octet_delta_count
          type: long

        - name: reverse_dropped_layer2_octet_total_count
          type: long

        - name: reverse_dropped_octet_delta_count
          type: long

        - name: reverse_dropped_octet_total_count
          type: long

        - name: reverse_dropped_packet_delta_count
          type: long

        - name: reverse_dropped_packet_total_count
          type: long

        - name: reverse_dst_traffic_index
          type: long

        - name: reverse_egress_broadcast_packet_total_count
          type: long

        - name: reverse_egress_interface
          type: long

        - name: reverse_egress_interface_type
          type: long

        - name: reverse_egress_physical_interface
          type: long

        - name: reverse_egress_unicast_packet_total_count
          type: long

        - name: reverse_egress_vrfid
          type: long

        - name: reverse_encrypted_technology
          type: keyword

        - name: reverse_engine_id
          type: short

        - name: reverse_engine_type
          type: short

        - name: reverse_ethernet_header_length
          type: short

        - name: reverse_ethernet_payload_length
          type: integer

        - name: reverse_ethernet_total_length
          type: integer

        - name: reverse_ethernet_type
          type: integer

        - name: reverse_export_sctp_stream_id
          type: integer

        - name: reverse_exporter_certificate
          type: keyword

        - name: reverse_exporting_process_id
          type: long

        - name: reverse_firewall_event
          type: short

        - name: reverse_first_non_empty_packet_size
          type: integer

        - name: reverse_first_packet_banner
          type: keyword

        - name: reverse_flags_and_sampler_id
          type: long

        - name: reverse_flow_active_timeout
          type: integer

        - name: reverse_flow_attributes
          type: integer

        - name: reverse_flow_delta_milliseconds
          type: long

        - name: reverse_flow_direction
          type: short

        - name: reverse_flow_duration_microseconds
          type: long

        - name: reverse_flow_duration_milliseconds
          type: long

        - name: reverse_flow_end_delta_microseconds
          type: long

        - name: reverse_flow_end_microseconds
          type: long

        - name: reverse_flow_end_milliseconds
          type: long

        - name: reverse_flow_end_nanoseconds
          type: long

        - name: reverse_flow_end_reason
          type: short

        - name: reverse_flow_end_seconds
          type: long

        - name: reverse_flow_end_sys_up_time
          type: long

        - name: reverse_flow_idle_timeout
          type: integer

        - name: reverse_flow_label_ipv6
          type: long

        - name: reverse_flow_sampling_time_interval
          type: long

        - name: reverse_flow_sampling_time_spacing
          type: long

        - name: reverse_flow_selected_flow_delta_count
          type: long

        - name: reverse_flow_selected_octet_delta_count
          type: long

        - name: reverse_flow_selected_packet_delta_count
          type: long

        - name: reverse_flow_selector_algorithm
          type: integer

        - name: reverse_flow_start_delta_microseconds
          type: long

        - name: reverse_flow_start_microseconds
          type: long

        - name: reverse_flow_start_milliseconds
          type: long

        - name: reverse_flow_start_nanoseconds
          type: long

        - name: reverse_flow_start_seconds
          type: long

        - name: reverse_flow_start_sys_up_time
          type: long

        - name: reverse_forwarding_status
          type: long

        - name: reverse_fragment_flags
          type: short

        - name: reverse_fragment_identification
          type: long

        - name: reverse_fragment_offset
          type: integer

        - name: reverse_gre_key
          type: long

        - name: reverse_hash_digest_output
          type: short

        - name: reverse_hash_flow_domain
          type: integer

        - name: reverse_hash_initialiser_value
          type: long

        - name: reverse_hash_ip_payload_offset
          type: long

        - name: reverse_hash_ip_payload_size
          type: long

        - name: reverse_hash_output_range_max
          type: long

        - name: reverse_hash_output_range_min
          type: long

        - name: reverse_hash_selected_range_max
          type: long

        - name: reverse_hash_selected_range_min
          type: long

        - name: reverse_icmp_code_ipv4
          type: short

        - name: reverse_icmp_code_ipv6
          type: short

        - name: reverse_icmp_type_code_ipv4
          type: integer

        - name: reverse_icmp_type_code_ipv6
          type: integer

        - name: reverse_icmp_type_ipv4
          type: short

        - name: reverse_icmp_type_ipv6
          type: short

        - name: reverse_igmp_type
          type: short

        - name: reverse_ignored_data_record_total_count
          type: long

        - name: reverse_ignored_layer2_frame_total_count
          type: long

        - name: reverse_ignored_layer2_octet_total_count
          type: long

        - name: reverse_information_element_data_type
          type: short

        - name: reverse_information_element_description
          type: keyword

        - name: reverse_information_element_id
          type: integer

        - name: reverse_information_element_index
          type: integer

        - name: reverse_information_element_name
          type: keyword

        - name: reverse_information_element_range_begin
          type: long

        - name: reverse_information_element_range_end
          type: long

        - name: reverse_information_element_semantics
          type: short

        - name: reverse_information_element_units
          type: integer

        - name: reverse_ingress_broadcast_packet_total_count
          type: long

        - name: reverse_ingress_interface
          type: long

        - name: reverse_ingress_interface_type
          type: long

        - name: reverse_ingress_multicast_packet_total_count
          type: long

        - name: reverse_ingress_physical_interface
          type: long

        - name: reverse_ingress_unicast_packet_total_count
          type: long

        - name: reverse_ingress_vrfid
          type: long

        - name: reverse_initial_tcp_flags
          type: short

        - name: reverse_initiator_octets
          type: long

        - name: reverse_initiator_packets
          type: long

        - name: reverse_interface_description
          type: keyword

        - name: reverse_interface_name
          type: keyword

        - name: reverse_intermediate_process_id
          type: long

        - name: reverse_ip_class_of_service
          type: short

        - name: reverse_ip_diff_serv_code_point
          type: short

        - name: reverse_ip_header_length
          type: short

        - name: reverse_ip_header_packet_section
          type: keyword

        - name: reverse_ip_next_hop_ipv4_address
          type: ip

        - name: reverse_ip_next_hop_ipv6_address
          type: ip

        - name: reverse_ip_payload_length
          type: long

        - name: reverse_ip_payload_packet_section
          type: keyword

        - name: reverse_ip_precedence
          type: short

        - name: reverse_ip_sec_spi
          type: long

        - name: reverse_ip_total_length
          type: long

        - name: reverse_ip_ttl
          type: short

        - name: reverse_ip_version
          type: short

        - name: reverse_ipv4_ihl
          type: short

        - name: reverse_ipv4_options
          type: long

        - name: reverse_ipv4_router_sc
          type: ip

        - name: reverse_ipv6_extension_headers
          type: long

        - name: reverse_is_multicast
          type: short

        - name: reverse_large_packet_count
          type: long

        - name: reverse_layer2_frame_delta_count
          type: long

        - name: reverse_layer2_frame_total_count
          type: long

        - name: reverse_layer2_octet_delta_count
          type: long

        - name: reverse_layer2_octet_delta_sum_of_squares
          type: long

        - name: reverse_layer2_octet_total_count
          type: long

        - name: reverse_layer2_octet_total_sum_of_squares
          type: long

        - name: reverse_layer2_segment_id
          type: long

        - name: reverse_layer2packet_section_data
          type: keyword

        - name: reverse_layer2packet_section_offset
          type: integer

        - name: reverse_layer2packet_section_size
          type: integer

        - name: reverse_line_card_id
          type: long

        - name: reverse_lower_ci_limit
          type: double

        - name: reverse_max_export_seconds
          type: long

        - name: reverse_max_flow_end_microseconds
          type: long

        - name: reverse_max_flow_end_milliseconds
          type: long

        - name: reverse_max_flow_end_nanoseconds
          type: long

        - name: reverse_max_flow_end_seconds
          type: long

        - name: reverse_max_packet_size
          type: integer

        - name: reverse_maximum_ip_total_length
          type: long

        - name: reverse_maximum_layer2_total_length
          type: long

        - name: reverse_maximum_ttl
          type: short

        - name: reverse_message_md5_checksum
          type: keyword

        - name: reverse_message_scope
          type: short

        - name: reverse_metering_process_id
          type: long

        - name: reverse_metro_evc_id
          type: keyword

        - name: reverse_metro_evc_type
          type: short

        - name: reverse_min_export_seconds
          type: long

        - name: reverse_min_flow_start_microseconds
          type: long

        - name: reverse_min_flow_start_milliseconds
          type: long

        - name: reverse_min_flow_start_nanoseconds
          type: long

        - name: reverse_min_flow_start_seconds
          type: long

        - name: reverse_minimum_ip_total_length
          type: long

        - name: reverse_minimum_layer2_total_length
          type: long

        - name: reverse_minimum_ttl
          type: short

        - name: reverse_monitoring_interval_end_milli_seconds
          type: long

        - name: reverse_monitoring_interval_start_milli_seconds
          type: long

        - name: reverse_mpls_label_stack_depth
          type: long

        - name: reverse_mpls_label_stack_length
          type: long

        - name: reverse_mpls_label_stack_section
          type: keyword

        - name: reverse_mpls_label_stack_section10
          type: keyword

        - name: reverse_mpls_label_stack_section2
          type: keyword

        - name: reverse_mpls_label_stack_section3
          type: keyword

        - name: reverse_mpls_label_stack_section4
          type: keyword

        - name: reverse_mpls_label_stack_section5
          type: keyword

        - name: reverse_mpls_label_stack_section6
          type: keyword

        - name: reverse_mpls_label_stack_section7
          type: keyword

        - name: reverse_mpls_label_stack_section8
          type: keyword

        - name: reverse_mpls_label_stack_section9
          type: keyword

        - name: reverse_mpls_payload_length
          type: long

        - name: reverse_mpls_payload_packet_section
          type: keyword

        - name: reverse_mpls_top_label_exp
          type: short

        - name: reverse_mpls_top_label_ipv4_address
          type: ip

        - name: reverse_mpls_top_label_ipv6_address
          type: ip

        - name: reverse_mpls_top_label_prefix_length
          type: short

        - name: reverse_mpls_top_label_stack_section
          type: keyword

        - name: reverse_mpls_top_label_ttl
          type: short

        - name: reverse_mpls_top_label_type
          type: short

        - name: reverse_mpls_vpn_route_distinguisher
          type: keyword

        - name: reverse_multicast_replication_factor
          type: long

        - name: reverse_nat_event
          type: short

        - name: reverse_nat_originating_address_realm
          type: short

        - name: reverse_nat_pool_id
          type: long

        - name: reverse_nat_pool_name
          type: keyword

        - name: reverse_nat_type
          type: short

        - name: reverse_new_connection_delta_count
          type: long

        - name: reverse_next_header_ipv6
          type: short

        - name: reverse_non_empty_packet_count
          type: long

        - name: reverse_not_sent_layer2_octet_total_count
          type: long

        - name: reverse_observation_domain_name
          type: keyword

        - name: reverse_observation_point_id
          type: long

        - name: reverse_observation_point_type
          type: short

        - name: reverse_observation_time_microseconds
          type: long

        - name: reverse_observation_time_milliseconds
          type: long

        - name: reverse_observation_time_nanoseconds
          type: long

        - name: reverse_observation_time_seconds
          type: long

        - name: reverse_octet_delta_count
          type: long

        - name: reverse_octet_delta_sum_of_squares
          type: long

        - name: reverse_octet_total_count
          type: long

        - name: reverse_octet_total_sum_of_squares
          type: long

        - name: reverse_opaque_octets
          type: keyword

        - name: reverse_original_exporter_ipv4_address
          type: ip

        - name: reverse_original_exporter_ipv6_address
          type: ip

        - name: reverse_original_flows_completed
          type: long

        - name: reverse_original_flows_initiated
          type: long

        - name: reverse_original_flows_present
          type: long

        - name: reverse_original_observation_domain_id
          type: long

        - name: reverse_os_finger_print
          type: keyword

        - name: reverse_os_name
          type: keyword

        - name: reverse_os_version
          type: keyword

        - name: reverse_p2p_technology
          type: keyword

        - name: reverse_packet_delta_count
          type: long

        - name: reverse_packet_total_count
          type: long

        - name: reverse_payload
          type: keyword

        - name: reverse_payload_entropy
          type: short

        - name: reverse_payload_length_ipv6
          type: integer

        - name: reverse_port_id
          type: long

        - name: reverse_port_range_end
          type: integer

        - name: reverse_port_range_num_ports
          type: integer

        - name: reverse_port_range_start
          type: integer

        - name: reverse_port_range_step_size
          type: integer

        - name: reverse_post_destination_mac_address
          type: keyword

        - name: reverse_post_dot1q_customer_vlan_id
          type: integer

        - name: reverse_post_dot1q_vlan_id
          type: integer

        - name: reverse_post_ip_class_of_service
          type: short

        - name: reverse_post_ip_diff_serv_code_point
          type: short

        - name: reverse_post_ip_precedence
          type: short

        - name: reverse_post_layer2_octet_delta_count
          type: long

        - name: reverse_post_layer2_octet_total_count
          type: long

        - name: reverse_post_mcast_layer2_octet_delta_count
          type: long

        - name: reverse_post_mcast_layer2_octet_total_count
          type: long

        - name: reverse_post_mcast_octet_delta_count
          type: long

        - name: reverse_post_mcast_octet_total_count
          type: long

        - name: reverse_post_mcast_packet_delta_count
          type: long

        - name: reverse_post_mcast_packet_total_count
          type: long

        - name: reverse_post_mpls_top_label_exp
          type: short

        - name: reverse_post_napt_destination_transport_port
          type: integer

        - name: reverse_post_napt_source_transport_port
          type: integer

        - name: reverse_post_nat_destination_ipv4_address
          type: ip

        - name: reverse_post_nat_destination_ipv6_address
          type: ip

        - name: reverse_post_nat_source_ipv4_address
          type: ip

        - name: reverse_post_nat_source_ipv6_address
          type: ip

        - name: reverse_post_octet_delta_count
          type: long

        - name: reverse_post_octet_total_count
          type: long

        - name: reverse_post_packet_delta_count
          type: long

        - name: reverse_post_packet_total_count
          type: long

        - name: reverse_post_source_mac_address
          type: keyword

        - name: reverse_post_vlan_id
          type: integer

        - name: reverse_private_enterprise_number
          type: long

        - name: reverse_protocol_identifier
          type: short

        - name: reverse_pseudo_wire_control_word
          type: long

        - name: reverse_pseudo_wire_destination_ipv4_address
          type: ip

        - name: reverse_pseudo_wire_id
          type: long

        - name: reverse_pseudo_wire_type
          type: integer

        - name: reverse_relative_error
          type: double

        - name: reverse_responder_octets
          type: long

        - name: reverse_responder_packets
          type: long

        - name: reverse_rfc3550_jitter_microseconds
          type: long

        - name: reverse_rfc3550_jitter_milliseconds
          type: long

        - name: reverse_rfc3550_jitter_nanoseconds
          type: long

        - name: reverse_rtp_payload_type
          type: short

        - name: reverse_rtp_sequence_number
          type: integer

        - name: reverse_sampler_id
          type: short

        - name: reverse_sampler_mode
          type: short

        - name: reverse_sampler_name
          type: keyword

        - name: reverse_sampler_random_interval
          type: long

        - name: reverse_sampling_algorithm
          type: short

        - name: reverse_sampling_flow_interval
          type: long

        - name: reverse_sampling_flow_spacing
          type: long

        - name: reverse_sampling_interval
          type: long

        - name: reverse_sampling_packet_interval
          type: long

        - name: reverse_sampling_packet_space
          type: long

        - name: reverse_sampling_population
          type: long

        - name: reverse_sampling_probability
          type: double

        - name: reverse_sampling_size
          type: long

        - name: reverse_sampling_time_interval
          type: long

        - name: reverse_sampling_time_space
          type: long

        - name: reverse_second_packet_banner
          type: keyword

        - name: reverse_section_exported_octets
          type: integer

        - name: reverse_section_offset
          type: integer

        - name: reverse_selection_sequence_id
          type: long

        - name: reverse_selector_algorithm
          type: integer

        - name: reverse_selector_id
          type: long

        - name: reverse_selector_id_total_flows_observed
          type: long

        - name: reverse_selector_id_total_flows_selected
          type: long

        - name: reverse_selector_id_total_pkts_observed
          type: long

        - name: reverse_selector_id_total_pkts_selected
          type: long

        - name: reverse_selector_name
          type: keyword

        - name: reverse_session_scope
          type: short

        - name: reverse_small_packet_count
          type: long

        - name: reverse_source_ipv4_address
          type: ip

        - name: reverse_source_ipv4_prefix
          type: ip

        - name: reverse_source_ipv4_prefix_length
          type: short

        - name: reverse_source_ipv6_address
          type: ip

        - name: reverse_source_ipv6_prefix
          type: ip

        - name: reverse_source_ipv6_prefix_length
          type: short

        - name: reverse_source_mac_address
          type: keyword

        - name: reverse_source_transport_port
          type: integer

        - name: reverse_src_traffic_index
          type: long

        - name: reverse_sta_ipv4_address
          type: ip

        - name: reverse_sta_mac_address
          type: keyword

        - name: reverse_standard_deviation_interarrival_time
          type: long

        - name: reverse_standard_deviation_payload_length
          type: integer

        - name: reverse_system_init_time_milliseconds
          type: long

        - name: reverse_tcp_ack_total_count
          type: long

        - name: reverse_tcp_acknowledgement_number
          type: long

        - name: reverse_tcp_control_bits
          type: integer

        - name: reverse_tcp_destination_port
          type: integer

        - name: reverse_tcp_fin_total_count
          type: long

        - name: reverse_tcp_header_length
          type: short

        - name: reverse_tcp_options
          type: long

        - name: reverse_tcp_psh_total_count
          type: long

        - name: reverse_tcp_rst_total_count
          type: long

        - name: reverse_tcp_sequence_number
          type: long

        - name: reverse_tcp_source_port
          type: integer

        - name: reverse_tcp_syn_total_count
          type: long

        - name: reverse_tcp_urg_total_count
          type: long

        - name: reverse_tcp_urgent_pointer
          type: integer

        - name: reverse_tcp_window_scale
          type: integer

        - name: reverse_tcp_window_size
          type: integer

        - name: reverse_total_length_ipv4
          type: integer

        - name: reverse_transport_octet_delta_count
          type: long

        - name: reverse_transport_packet_delta_count
          type: long

        - name: reverse_tunnel_technology
          type: keyword

        - name: reverse_udp_destination_port
          type: integer

        - name: reverse_udp_message_length
          type: integer

        - name: reverse_udp_source_port
          type: integer

        - name: reverse_union_tcp_flags
          type: short

        - name: reverse_upper_ci_limit
          type: double

        - name: reverse_user_name
          type: keyword

        - name: reverse_value_distribution_method
          type: short

        - name: reverse_virtual_station_interface_id
          type: keyword

        - name: reverse_virtual_station_interface_name
          type: keyword

        - name: reverse_virtual_station_name
          type: keyword

        - name: reverse_virtual_station_uuid
          type: keyword

        - name: reverse_vlan_id
          type: integer

        - name: reverse_vr_fname
          type: keyword

        - name: reverse_wlan_channel_id
          type: short

        - name: reverse_wlan_ssid
          type: keyword

        - name: reverse_wtp_mac_address
          type: keyword

        - name: rfc3550_jitter_microseconds
          type: long

        - name: rfc3550_jitter_milliseconds
          type: long

        - name: rfc3550_jitter_nanoseconds
          type: long

        - name: rtp_payload_type
          type: short

        - name: rtp_sequence_number
          type: integer

        - name: sampler_id
          type: short

        - name: sampler_mode
          type: short

        - name: sampler_name
          type: keyword

        - name: sampler_random_interval
          type: long

        - name: sampling_algorithm
          type: short

        - name: sampling_flow_interval
          type: long

        - name: sampling_flow_spacing
          type: long

        - name: sampling_interval
          type: long

        - name: sampling_packet_interval
          type: long

        - name: sampling_packet_space
          type: long

        - name: sampling_population
          type: long

        - name: sampling_probability
          type: double

        - name: sampling_size
          type: long

        - name: sampling_time_interval
          type: long

        - name: sampling_time_space
          type: long

        - name: second_packet_banner
          type: keyword

        - name: section_exported_octets
          type: integer

        - name: section_offset
          type: integer

        - name: selection_sequence_id
          type: long

        - name: selector_algorithm
          type: integer

        - name: selector_id
          type: long

        - name: selector_id_total_flows_observed
          type: long

        - name: selector_id_total_flows_selected
          type: long

        - name: selector_id_total_pkts_observed
          type: long

        - name: selector_id_total_pkts_selected
          type: long

        - name: selector_name
          type: keyword

        - name: service_name
          type: keyword

        - name: session_scope
          type: short

        - name: silk_app_label
          type: integer

        - name: small_packet_count
          type: long

        - name: source_ipv4_address
          type: ip

        - name: source_ipv4_prefix
          type: ip

        - name: source_ipv4_prefix_length
          type: short

        - name: source_ipv6_address
          type: ip

        - name: source_ipv6_prefix
          type: ip

        - name: source_ipv6_prefix_length
          type: short

        - name: source_mac_address
          type: keyword

        - name: source_transport_port
          type: integer

        - name: source_transport_ports_limit
          type: integer

        - name: src_traffic_index
          type: long

        - name: ssl_cert_serial_number
          type: keyword

        - name: ssl_cert_signature
          type: keyword

        - name: ssl_cert_validity_not_after
          type: keyword

        - name: ssl_cert_validity_not_before
          type: keyword

        - name: ssl_cert_version
          type: short

        - name: ssl_certificate_hash
          type: keyword

        - name: ssl_cipher
          type: keyword

        - name: ssl_client_version
          type: short

        - name: ssl_compression_method
          type: short

        - name: ssl_object_type
          type: keyword

        - name: ssl_object_value
          type: keyword

        - name: ssl_public_key_algorithm
          type: keyword

        - name: ssl_public_key_length
          type: keyword

        - name: ssl_server_cipher
          type: long

        - name: ssl_server_name
          type: keyword

        - name: sta_ipv4_address
          type: ip

        - name: sta_mac_address
          type: keyword

        - name: standard_deviation_interarrival_time
          type: long

        - name: standard_deviation_payload_length
          type: short

        - name: system_init_time_milliseconds
          type: date

        - name: tcp_ack_total_count
          type: long

        - name: tcp_acknowledgement_number
          type: long

        - name: tcp_control_bits
          type: integer

        - name: tcp_destination_port
          type: integer

        - name: tcp_fin_total_count
          type: long

        - name: tcp_header_length
          type: short

        - name: tcp_options
          type: long

        - name: tcp_psh_total_count
          type: long

        - name: tcp_rst_total_count
          type: long

        - name: tcp_sequence_number
          type: long

        - name: tcp_source_port
          type: integer

        - name: tcp_syn_total_count
          type: long

        - name: tcp_urg_total_count
          type: long

        - name: tcp_urgent_pointer
          type: integer

        - name: tcp_window_scale
          type: integer

        - name: tcp_window_size
          type: integer

        - name: template_id
          type: integer

        - name: tftp_filename
          type: keyword

        - name: tftp_mode
          type: keyword

        - name: timestamp
          type: long

        - name: timestamp_absolute_monitoring-interval
          type: long

        - name: total_length_ipv4
          type: integer

        - name: traffic_type
          type: short

        - name: transport_octet_delta_count
          type: long

        - name: transport_packet_delta_count
          type: long

        - name: tunnel_technology
          type: keyword

        - name: udp_destination_port
          type: integer

        - name: udp_message_length
          type: integer

        - name: udp_source_port
          type: integer

        - name: union_tcp_flags
          type: short

        - name: upper_ci_limit
          type: double

        - name: user_name
          type: keyword

        - name: username
          type: keyword

        - name: value_distribution_method
          type: short

        - name: viptela_vpn_id
          type: long

        - name: virtual_station_interface_id
          type: short

        - name: virtual_station_interface_name
          type: keyword

        - name: virtual_station_name
          type: keyword

        - name: virtual_station_uuid
          type: short

        - name: vlan_id
          type: integer

        - name: vmware_egress_interface_attr
          type: integer

        - name: vmware_ingress_interface_attr
          type: integer

        - name: vmware_tenant_dest_ipv4
          type: ip

        - name: vmware_tenant_dest_ipv6
          type: ip

        - name: vmware_tenant_dest_port
          type: integer

        - name: vmware_tenant_protocol
          type: short

        - name: vmware_tenant_source_ipv4
          type: ip

        - name: vmware_tenant_source_ipv6
          type: ip

        - name: vmware_tenant_source_port
          type: integer

        - name: vmware_vxlan_export_role
          type: short

        - name: vpn_identifier
          type: short

        - name: vr_fname
          type: keyword

        - name: waasoptimization_segment
          type: short

        - name: wlan_channel_id
          type: short

        - name: wlan_ssid
          type: keyword

        - name: wtp_mac_address
          type: keyword

        - name: xlate_destination_address_ip_v4
          type: ip

        - name: xlate_destination_port
          type: integer

        - name: xlate_source_address_ip_v4
          type: ip

        - name: xlate_source_port
          type: integer

- key: cef
  title: Decode CEF processor fields
  description: >
    Common Event Format (CEF) data.
  fields:
    - name: cef
      type: group
      description: >
        By default the `decode_cef` processor writes all data from the CEF
        message to this `cef` object. It contains the CEF header fields and the
        extension data.
      fields:
        - name: version
          type: keyword
          description: >
            Version of the CEF specification used by the message.

        - name: device.vendor
          type: keyword
          description: >
            Vendor of the device that produced the message.

        - name: device.product
          type: keyword
          description: >
            Product of the device that produced the message.

        - name: device.version
          type: keyword
          description: >
            Version of the product that produced the message.

        - name: device.event_class_id
          type: keyword
          description: >
            Unique identifier of the event type.

        - name: severity
          type: keyword
          example: Very-High
          description: >
            Importance of the event. The valid string values are Unknown, Low,
            Medium, High, and Very-High. The valid integer values are 0-3=Low,
            4-6=Medium, 7- 8=High, and 9-10=Very-High.

        - name: name
          type: keyword
          description: >
            Short description of the event.

        - name: extensions
          type: group
          description: >
            Collection of key-value pairs carried in the CEF extension field.
          fields:
            - name: agentAddress
              type: ip
              description: The IP address of the ArcSight connector that processed the event.

            - name: agentDnsDomain
              type: keyword
              description: The DNS domain name of the ArcSight connector that processed the event.

            - name: agentHostName
              type: keyword
              description: The hostname of the ArcSight connector that processed the event.

            - name: agentId
              type: keyword
              description: The agent ID of the ArcSight connector that processed the event.

            - name: agentMacAddress
              type: keyword
              description: The MAC address of the ArcSight connector that processed the event.

            - name: agentNtDomain
              type: keyword
              description:

            - name: agentReceiptTime
              type: date
              description: The time at which information about the event was received by the ArcSight connector.

            - name: agentTimeZone
              type: keyword
              description: The agent time zone of the ArcSight connector that processed the event.

            - name: agentTranslatedAddress
              type: ip
              description:

            - name: agentTranslatedZoneExternalID
              type: keyword
              description:

            - name: agentTranslatedZoneURI
              type: keyword
              description:

            - name: agentType
              type: keyword
              description: The agent type of the ArcSight connector that processed the event

            - name: agentVersion
              type: keyword
              description: The version of the ArcSight connector that processed the event.

            - name: agentZoneExternalID
              type: keyword
              description:

            - name: agentZoneURI
              type: keyword
              description:

            - name: applicationProtocol
              type: keyword
              description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.

            - name: baseEventCount
              type: long
              description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1.

            - name: bytesIn
              type: long
              description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination.

            - name: bytesOut
              type: long
              description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source.

            - name: customerExternalID
              type: keyword
              description:

            - name: customerURI
              type: keyword
              description:

            - name: destinationAddress
              type: ip
              description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address.

            - name: destinationDnsDomain
              type: keyword
              description: The DNS domain part of the complete fully qualified domain name (FQDN).

            - name: destinationGeoLatitude
              type: double
              description: The latitudinal value from which the destination's IP address belongs.

            - name: destinationGeoLongitude
              type: double
              description: The longitudinal value from which the destination's IP address belongs.

            - name: destinationHostName
              type: keyword
              description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available.

            - name: destinationMacAddress
              type: keyword
              description: Six colon-seperated hexadecimal numbers.

            - name: destinationNtDomain
              type: keyword
              description: The Windows domain name of the destination address.

            - name: destinationPort
              type: long
              description: The valid port numbers are between 0 and 65535.

            - name: destinationProcessId
              type: long
              description: Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID.

            - name: destinationProcessName
              type: keyword
              description: The name of the event's destination process.

            - name: destinationServiceName
              type: keyword
              description: The service targeted by this event.

            - name: destinationTranslatedAddress
              type: ip
              description: Identifies the translated destination that the event refers to in an IP network.

            - name: destinationTranslatedPort
              type: long
              description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535.

            - name: destinationTranslatedZoneExternalID
              type: keyword
              description:

            - name: destinationTranslatedZoneURI
              type: keyword
              description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.

            - name: destinationUserId
              type: keyword
              description: Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0.

            - name: destinationUserName
              type: keyword
              description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field.

            - name: destinationUserPrivileges
              type: keyword
              description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator".

            - name: destinationZoneExternalID
              type: keyword
              description:

            - name: destinationZoneURI
              type: keyword
              description: The URI for the Zone that the destination asset has been assigned to in ArcSight.

            - name: deviceAction
              type: keyword
              description: Action taken by the device.

            - name: deviceAddress
              type: ip
              description: Identifies the device address that an event refers to in an IP network.

            - name: deviceCustomFloatingPoint1Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomFloatingPoint3Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomFloatingPoint4Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomDate1
              type: date
              description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomDate1Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomDate2
              type: date
              description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomDate2Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomFloatingPoint1
              type: double
              description: One of four floating point fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomFloatingPoint2
              type: double
              description: One of four floating point fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomFloatingPoint2Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomFloatingPoint3
              type: double
              description: One of four floating point fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomFloatingPoint4
              type: double
              description: One of four floating point fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomIPv6Address1
              type: ip
              description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomIPv6Address1Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomIPv6Address2
              type: ip
              description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomIPv6Address2Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomIPv6Address3
              type: ip
              description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomIPv6Address3Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomIPv6Address4
              type: ip
              description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.

            - name: deviceCustomIPv6Address4Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomNumber1
              type: long
              description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceCustomNumber1Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomNumber2
              type: long
              description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceCustomNumber2Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomNumber3
              type: long
              description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceCustomNumber3Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomString1
              type: keyword
              description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceCustomString1Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomString2
              type: keyword
              description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceCustomString2Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomString3
              type: keyword
              description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceCustomString3Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomString4
              type: keyword
              description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceCustomString4Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomString5
              type: keyword
              description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceCustomString5Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceCustomString6
              type: keyword
              description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceCustomString6Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceDirection
              type: long
              description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound.

            - name: deviceDnsDomain
              type: keyword
              description: The DNS domain part of the complete fully qualified domain name (FQDN).

            - name: deviceEventCategory
              type: keyword
              description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read".

            - name: deviceExternalId
              type: keyword
              description: A name that uniquely identifies the device generating this event.

            - name: deviceFacility
              type: keyword
              description: The facility generating this event. For example, Syslog has an explicit facility associated with every event.

            - name: deviceFlexNumber1
              type: long
              description: One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceFlexNumber1Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceFlexNumber2
              type: long
              description: One of two alternative number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.

            - name: deviceFlexNumber2Label
              type: keyword
              description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.

            - name: deviceHostName
              type: keyword
              description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available.

            - name: deviceInboundInterface
              type: keyword
              description: Interface on which the packet or data entered the device.

            - name: deviceMacAddress
              type: keyword
              description: Six colon-separated hexadecimal numbers.

            - name: deviceNtDomain
              type: keyword
              description: The Windows domain name of the device address.

            - name: deviceOutboundInterface
              type: keyword
              description: Interface on which the packet or data left the device.

            - name: devicePayloadId
              type: keyword
              description: Unique identifier for the payload associated with the event.

            - name: deviceProcessId
              type: long
              description: Provides the ID of the process on the device generating the event.

            - name: deviceProcessName
              type: keyword
              description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX.

            - name: deviceReceiptTime
              type: date
              description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)

            - name: deviceTimeZone
              type: keyword
              description: The time zone for the device generating the event.

            - name: deviceTranslatedAddress
              type: ip
              description: Identifies the translated device address that the event refers to in an IP network.

            - name: deviceTranslatedZoneExternalID
              type: keyword
              description:

            - name: deviceTranslatedZoneURI
              type: keyword
              description: The URI for the Translated Zone that the device asset has been assigned to in ArcSight.

            - name: deviceZoneExternalID
              type: keyword
              description:

            - name: deviceZoneURI
              type: keyword
              description: Thee URI for the Zone that the device asset has been assigned to in ArcSight.

            - name: endTime
              type: date
              description: The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session.

            - name: eventId
              type: long
              description: This is a unique ID that ArcSight assigns to each event.

            - name: eventOutcome
              type: keyword
              description: Displays the outcome, usually as 'success' or 'failure'.

            - name: externalId
              type: keyword
              description: The ID used by an originating device. They are usually increasing numbers, associated with events.

            - name: fileCreateTime
              type: date
              description: Time when the file was created.

            - name: fileHash
              type: keyword
              description: Hash of a file.

            - name: fileId
              type: keyword
              description: An ID associated with a file could be the inode.

            - name: fileModificationTime
              type: date
              description: Time when the file was last modified.

            - name: filename
              type: keyword
              description: Name of the file only (without its path).

            - name: filePath
              type: keyword
              description: Full path to the file, including file name itself.

            - name: filePermission
              type: keyword
              description: Permissions of the file.

            - name: fileSize
              type: long
              description: Size of the file.

            - name: fileType
              type: keyword
              description: Type of file (pipe, socket, etc.)

            - name: flexDate1
              type: date
              description: A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.

            - name: flexDate1Label
              type: keyword
              description: The label field is a string and describes the purpose of the flex field.

            - name: flexString1
              type: keyword
              description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.

            - name: flexString2
              type: keyword
              description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.

            - name: flexString1Label
              type: keyword
              description: The label field is a string and describes the purpose of the flex field.

            - name: flexString2Label
              type: keyword
              description: The label field is a string and describes the purpose of the flex field.

            - name: message
              type: keyword
              description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator.

            - name: oldFileCreateTime
              type: date
              description: Time when old file was created.

            - name: oldFileHash
              type: keyword
              description: Hash of the old file.

            - name: oldFileId
              type: keyword
              description: An ID associated with the old file could be the inode.

            - name: oldFileModificationTime
              type: date
              description: Time when old file was last modified.

            - name: oldFileName
              type: keyword
              description: Name of the old file.

            - name: oldFilePath
              type: keyword
              description: Full path to the old file, including the file name itself.

            - name: oldFilePermission
              type: keyword
              description: Permissions of the old file.

            - name: oldFileSize
              type: long
              description: Size of the old file.

            - name: oldFileType
              type: keyword
              description: Type of the old file (pipe, socket, etc.)

            - name: rawEvent
              type: keyword
              description:

            - name: Reason
              type: keyword
              description: The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234".

            - name: requestClientApplication
              type: keyword
              description: The User-Agent associated with the request.

            - name: requestContext
              type: keyword
              description: Description of the content from which the request originated (for example, HTTP Referrer)

            - name: requestCookies
              type: keyword
              description: Cookies associated with the request.

            - name: requestMethod
              type: keyword
              description: The HTTP method used to access a URL.

            - name: requestUrl
              type: keyword
              description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well.

            - name: sourceAddress
              type: ip
              description: Identifies the source that an event refers to in an IP network.

            - name: sourceDnsDomain
              type: keyword
              description: The DNS domain part of the complete fully qualified domain name (FQDN).

            - name: sourceGeoLatitude
              type: double
              description:

            - name: sourceGeoLongitude
              type: double
              description:

            - name: sourceHostName
              type: keyword
              description: >
                Identifies the source that an event refers to in an IP network.
                The format should be a fully qualified domain name (FQDN) associated with the source node, when a
                mode is available. Examples: 'host' or 'host.domain.com'.

            - name: sourceMacAddress
              type: keyword
              example: "00:0d:60:af:1b:61"
              description: Six colon-separated hexadecimal numbers.

            - name: sourceNtDomain
              type: keyword
              description: The Windows domain name for the source address.

            - name: sourcePort
              type: long
              description: The valid port numbers are 0 to 65535.

            - name: sourceProcessId
              type: long
              description: The ID of the source process associated with the event.

            - name: sourceProcessName
              type: keyword
              description: The name of the event's source process.

            - name: sourceServiceName
              type: keyword
              description: The service that is responsible for generating this event.

            - name: sourceTranslatedAddress
              type: ip
              description: Identifies the translated source that the event refers to in an IP network.

            - name: sourceTranslatedPort
              type: long
              description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535.

            - name: sourceTranslatedZoneExternalID
              type: keyword
              description:

            - name: sourceTranslatedZoneURI
              type: keyword
              description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.

            - name: sourceUserId
              type: keyword
              description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0.

            - name: sourceUserName
              type: keyword
              description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.

            - name: sourceUserPrivileges
              type: keyword
              description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator".

            - name: sourceZoneExternalID
              type: keyword
              description:

            - name: sourceZoneURI
              type: keyword
              description: The URI for the Zone that the source asset has been assigned to in ArcSight.

            - name: startTime
              type: date
              description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)

            - name: transportProtocol
              type: keyword
              description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP.

            - name: type
              type: long
              description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0).

            # ArcSight fields.
            - name: categoryDeviceType
              type: keyword
              description: Device type. Examples - Proxy, IDS, Web Server

            - name: categoryObject
              type: keyword
              description: Object that the event is about. For example it can be an operating sytem, database, file, etc.

            - name: categoryBehavior
              type: keyword
              description: Action or a behavior associated with an event. It's what is being done to the object.

            - name: categoryTechnique
              type: keyword
              description: Technique being used (e.g. /DoS).

            - name: categoryDeviceGroup
              type: keyword
              description: General device group like Firewall.

            - name: categorySignificance
              type: keyword
              description: Characterization of the importance of the event.

            - name: categoryOutcome
              type: keyword
              description: Outcome of the event (e.g. sucess, failure, or attempt).

            - name: managerReceiptTime
              type: date
              description: When the Arcsight ESM received the event.

    - name: source.service.name
      type: keyword
      description:
        Service that is the source of the event.

    - name: destination.service.name
      type: keyword
      description:
        Service that is the target of the event.