diff --git a/dev-tools/mage/docs.go b/dev-tools/mage/docs.go index c5d77dee6b86..1210d5217f6a 100644 --- a/dev-tools/mage/docs.go +++ b/dev-tools/mage/docs.go @@ -66,7 +66,7 @@ func DocsIndexFile(file string) DocsOption { // Docs holds the utilities for building documentation. var Docs = docsBuilder{} -// FieldDocs generates docs/fields.asciidoc from the specified fields.yml file. +// FieldDocs generates exported-fields.md from the specified fields.yml file. func (docsBuilder) FieldDocs(fieldsYML string) error { // Run the docs_collector.py script. ve, err := PythonVirtualenv(false) @@ -84,13 +84,15 @@ func (docsBuilder) FieldDocs(fieldsYML string) error { return err } + outputPath := filepath.Join(DocsDir(), "reference", BeatName) + // TODO: Port this script to Go. - log.Println(">> Generating docs/fields.asciidoc for", BeatName) + log.Println(">> Generating exported-fields.md for", BeatName) return sh.Run(python, LibbeatDir("scripts/generate_fields_docs.py"), - fieldsYML, // Path to fields.yml. - BeatName, // Beat title. - esBeats, // Path to general beats folder. - "--output_path", OSSBeatDir()) // It writes to {output_path}/docs/fields.asciidoc. + fieldsYML, // Path to fields.yml. + BeatName, // Beat title. + esBeats, // Path to general beats folder. + "--output_path", outputPath) // It writes to {output_path}/exported-fields.md. } func (b docsBuilder) AsciidocBook(opts ...DocsOption) error { diff --git a/docs/reference/auditbeat/exported-fields-auditd.md b/docs/reference/auditbeat/exported-fields-auditd.md index f3e4f5e62f0f..13fc75107812 100644 --- a/docs/reference/auditbeat/exported-fields-auditd.md +++ b/docs/reference/auditbeat/exported-fields-auditd.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-auditd.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Auditd fields [exported-fields-auditd] These are the fields generated by the auditd module. @@ -49,10 +51,9 @@ alias to: user.saved.group.id alias to: user.filesystem.group.id - ## name_map [_name_map] -If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid → root). +If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root). **`user.name_map.auid`** : type: alias @@ -96,7 +97,6 @@ alias to: user.saved.group.name alias to: user.filesystem.group.name - ## selinux [_selinux] The SELinux identity of the actor. @@ -108,19 +108,19 @@ type: keyword **`user.selinux.role`** -: user’s SELinux role +: user's SELinux role type: keyword **`user.selinux.domain`** -: The actor’s SELinux domain or type. +: The actor's SELinux domain or type. type: keyword **`user.selinux.level`** -: The actor’s SELinux level. +: The actor's SELinux level. type: keyword @@ -128,12 +128,11 @@ example: s0 **`user.selinux.category`** -: The actor’s SELinux category or compartments. +: The actor's SELinux category or compartments. type: keyword - ## process [_process] Process attributes. @@ -146,7 +145,6 @@ type: alias alias to: process.working_directory - ## source [_source] Source that triggered the event. @@ -157,7 +155,6 @@ Source that triggered the event. type: keyword - ## destination [_destination] Destination address that triggered the event. @@ -196,13 +193,12 @@ type: keyword example: success or fail - ## actor [_actor] The actor is the user that triggered the audit event. **`auditd.summary.actor.primary`** -: The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account. +: The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account. type: keyword @@ -213,7 +209,6 @@ type: keyword type: keyword - ## object [_object] This is the thing or object being acted upon in the event. @@ -238,7 +233,6 @@ type: keyword type: keyword - ## paths [_paths] List of paths associated with the event. @@ -317,8 +311,7 @@ type: keyword type: keyword - -## data [_data_2] +## data [_data] The data from the audit messages. @@ -335,7 +328,7 @@ type: keyword **`auditd.data.acct`** -: a user’s account name +: a user's account name type: keyword @@ -555,7 +548,7 @@ type: keyword **`auditd.data.audit_backlog_limit`** -: audit system’s backlog queue size +: audit system's backlog queue size type: keyword @@ -591,7 +584,7 @@ type: keyword **`auditd.data.oauid`** -: object’s login user ID +: object's login user ID type: keyword @@ -615,13 +608,13 @@ type: keyword **`auditd.data.vm-ctx`** -: the vm’s context string +: the vm's context string type: keyword **`auditd.data.opid`** -: object’s process ID +: object's process ID type: keyword @@ -675,7 +668,7 @@ type: keyword **`auditd.data.range`** -: user’s SE Linux range +: user's SE Linux range type: keyword @@ -705,7 +698,7 @@ type: keyword **`auditd.data.subj`** -: lspp subject’s context string +: lspp subject's context string type: keyword @@ -723,13 +716,13 @@ type: keyword **`auditd.data.kernel`** -: kernel’s version number +: kernel's version number type: keyword **`auditd.data.ocomm`** -: object’s command line name +: object's command line name type: keyword @@ -807,7 +800,7 @@ type: keyword **`auditd.data.iuid`** -: ipc object’s user ID +: ipc object's user ID type: keyword @@ -837,7 +830,7 @@ type: keyword **`auditd.data.vm-pid`** -: vm’s process ID +: vm's process ID type: keyword @@ -855,7 +848,7 @@ type: keyword **`auditd.data.oses`** -: object’s session ID +: object's session ID type: keyword @@ -867,7 +860,7 @@ type: keyword **`auditd.data.igid`** -: ipc object’s group ID +: ipc object's group ID type: keyword @@ -987,7 +980,7 @@ type: keyword **`auditd.data.audit_backlog_wait_time`** -: audit system’s backlog wait time +: audit system's backlog wait time type: keyword @@ -1023,7 +1016,7 @@ type: keyword **`auditd.data.format`** -: audit log’s format +: audit log's format type: keyword @@ -1035,7 +1028,7 @@ type: keyword **`auditd.data.tcontext`** -: the target’s or object’s context string +: the target's or object's context string type: keyword @@ -1113,7 +1106,7 @@ type: keyword **`auditd.data.inode_gid`** -: group ID of the inode’s owner +: group ID of the inode's owner type: keyword @@ -1203,7 +1196,7 @@ type: keyword **`auditd.data.audit_failure`** -: audit system’s failure mode +: audit system's failure mode type: keyword @@ -1263,7 +1256,7 @@ type: keyword **`auditd.data.seuser`** -: user’s SE Linux user acct +: user's SE Linux user acct type: keyword @@ -1359,7 +1352,7 @@ type: keyword **`auditd.data.list`** -: the audit system’s filter list number +: the audit system's filter list number type: keyword @@ -1401,7 +1394,7 @@ type: keyword **`auditd.data.audit_enabled`** -: audit systems’s enable/disable status +: audit systems's enable/disable status type: keyword @@ -1425,19 +1418,19 @@ type: keyword **`auditd.data.scontext`** -: the subject’s context string +: the subject's context string type: keyword **`auditd.data.tclass`** -: target’s object classification +: target's object classification type: keyword **`auditd.data.ver`** -: audit daemon’s version number +: audit daemon's version number type: keyword @@ -1455,7 +1448,7 @@ type: keyword **`auditd.data.img-ctx`** -: the vm’s disk image context string +: the vm's disk image context string type: keyword @@ -1479,7 +1472,7 @@ type: keyword **`auditd.data.inode_uid`** -: user ID of the inode’s owner +: user ID of the inode's owner type: keyword @@ -1538,7 +1531,6 @@ type: alias alias to: error.message - ## geoip [_geoip] The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or an Elasticsearch geoip ingest processor. diff --git a/docs/reference/auditbeat/exported-fields-beat-common.md b/docs/reference/auditbeat/exported-fields-beat-common.md index 38c384eb9849..531af8ccfd58 100644 --- a/docs/reference/auditbeat/exported-fields-beat-common.md +++ b/docs/reference/auditbeat/exported-fields-beat-common.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-beat-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Beat fields [exported-fields-beat-common] Contains common beat fields available in all event types. diff --git a/docs/reference/auditbeat/exported-fields-cloud.md b/docs/reference/auditbeat/exported-fields-cloud.md index 1e9c2c59a67f..65b8598472ff 100644 --- a/docs/reference/auditbeat/exported-fields-cloud.md +++ b/docs/reference/auditbeat/exported-fields-cloud.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-cloud.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Cloud provider metadata fields [exported-fields-cloud] Metadata from cloud providers added by the add_cloud_metadata processor. diff --git a/docs/reference/auditbeat/exported-fields-common.md b/docs/reference/auditbeat/exported-fields-common.md index 6c5753afcc25..b292836cbf02 100644 --- a/docs/reference/auditbeat/exported-fields-common.md +++ b/docs/reference/auditbeat/exported-fields-common.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Common fields [exported-fields-common] Contains common fields available in all event types. - ## file [_file] File attributes. @@ -40,8 +41,7 @@ type: keyword type: text - -## selinux [_selinux_2] +## selinux [_selinux] The SELinux identity of the file. @@ -52,31 +52,29 @@ type: keyword **`file.selinux.role`** -: The object’s SELinux role. +: The object's SELinux role. type: keyword **`file.selinux.domain`** -: The object’s SELinux domain or type. +: The object's SELinux domain or type. type: keyword **`file.selinux.level`** -: The object’s SELinux level. +: The object's SELinux level. type: keyword example: s0 - ## user [_user] User information. - ## audit [_audit] Audit user information. @@ -93,7 +91,6 @@ type: keyword type: keyword - ## filesystem [_filesystem] Filesystem user information. @@ -110,7 +107,6 @@ type: keyword type: keyword - ## group [_group] Filesystem group information. @@ -127,7 +123,6 @@ type: keyword type: keyword - ## saved [_saved] Saved user information. @@ -144,8 +139,7 @@ type: keyword type: keyword - -## group [_group_2] +## group [_group] Saved group information. diff --git a/docs/reference/auditbeat/exported-fields-docker-processor.md b/docs/reference/auditbeat/exported-fields-docker-processor.md index aa3d77a624d8..c379c6751cdc 100644 --- a/docs/reference/auditbeat/exported-fields-docker-processor.md +++ b/docs/reference/auditbeat/exported-fields-docker-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-docker-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Docker fields [exported-fields-docker-processor] Docker stats collected from Docker. diff --git a/docs/reference/auditbeat/exported-fields-ecs.md b/docs/reference/auditbeat/exported-fields-ecs.md index b7d375b30817..2187931a4192 100644 --- a/docs/reference/auditbeat/exported-fields-ecs.md +++ b/docs/reference/auditbeat/exported-fields-ecs.md @@ -3,14 +3,18 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-ecs.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ECS fields [exported-fields-ecs] -This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {{es}}. -This is an exhaustive list, and fields listed here are not necessarily used by Auditbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events. +This is an exhaustive list, and fields listed here are not necessarily used by Auditbeat. +The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. See the [ECS reference](ecs://reference/index.md) for more information. - **`@timestamp`** : Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. @@ -45,10 +49,10 @@ type: keyword example: ["production", "env2"] - ## agent [_agent] -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. **`agent.build.original`** : Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. @@ -98,7 +102,6 @@ type: keyword example: 6.0.0-rc2 - ## as [_as] An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. @@ -123,10 +126,11 @@ example: Google LLC : type: match_only_text - ## client [_client] -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`client.address`** : Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -181,7 +185,7 @@ example: Montreal **`client.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -305,7 +309,7 @@ format: string **`client.registered_domain`** -: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -321,7 +325,7 @@ example: east **`client.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -341,7 +345,7 @@ type: keyword **`client.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -404,7 +408,6 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## cloud [_cloud] Fields related to the cloud or infrastructure the events are coming from. @@ -667,7 +670,6 @@ type: keyword example: lambda - ## code_signature [_code_signature] These fields contain information about binary code signatures. @@ -744,7 +746,6 @@ type: boolean example: true - ## container [_container] Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -823,13 +824,14 @@ type: keyword example: docker - ## data_stream [_data_stream] -The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create). +The data_stream fields take part in defining the new data stream naming scheme. +In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. +An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. **`data_stream.dataset`** -: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters +: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -837,7 +839,7 @@ example: nginx.access **`data_stream.namespace`** -: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters +: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -852,10 +854,10 @@ type: constant_keyword example: logs +## destination [_destination] -## destination [_destination_2] - -Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`destination.address`** : Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -910,7 +912,7 @@ example: Montreal **`destination.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -1034,7 +1036,7 @@ format: string **`destination.registered_domain`** -: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1050,7 +1052,7 @@ example: east **`destination.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1070,7 +1072,7 @@ type: keyword **`destination.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -1133,12 +1135,14 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## dll [_dll] These fields contain information about code libraries dynamically loaded into processes. -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS **`dll.code_signature.digest_algorithm`** : The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. @@ -1291,7 +1295,7 @@ example: 6.3.9600.17415 **`dll.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -1314,10 +1318,10 @@ type: keyword example: Microsoft® Windows® Operating System - ## dns [_dns] -Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). **`dns.answers`** : An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. @@ -1342,7 +1346,7 @@ example: 10.10.10.10 **`dns.answers.name`** -: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated. +: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. type: keyword @@ -1406,7 +1410,7 @@ example: www.example.com **`dns.question.registered_domain`** -: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1422,7 +1426,7 @@ example: www **`dns.question.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1461,13 +1465,12 @@ type: keyword example: answer - ## ecs [_ecs] Meta-information specific to ECS. **`ecs.version`** -: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events. +: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword @@ -1476,7 +1479,6 @@ example: 1.0.0 required: True - ## elf [_elf] These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -1506,7 +1508,7 @@ example: Intel **`elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -1673,10 +1675,10 @@ type: keyword type: keyword - ## error [_error] -These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. **`error.code`** : Error code describing the error. @@ -1714,10 +1716,10 @@ type: keyword example: java.lang.NullPointerException - ## event [_event] -The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. **`event.action`** : The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. @@ -1728,7 +1730,7 @@ example: user-password-change **`event.agent_id_status`** -: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. +: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. type: keyword @@ -1752,7 +1754,7 @@ example: 4648 **`event.created`** -: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. type: date @@ -1760,7 +1762,7 @@ example: 2016-05-23T08:05:34.857Z **`event.dataset`** -: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. +: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword @@ -1798,7 +1800,7 @@ example: 8a4f500d **`event.ingested`** -: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. type: date @@ -1826,7 +1828,7 @@ example: apache type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 Field is not indexed. @@ -1860,11 +1862,11 @@ example: Terminated an unexpected process type: keyword -example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234) +example: https://system.example.com/event/#0001234 **`event.risk_score`** -: Risk score or priority of the event (e.g. security solutions). Use your system’s original value here. +: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1884,7 +1886,7 @@ format: string **`event.severity`** -: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. +: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. type: long @@ -1900,7 +1902,7 @@ type: date **`event.timezone`** -: This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +: This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). type: keyword @@ -1916,8 +1918,7 @@ type: keyword type: keyword -example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe) - +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe ## faas [_faas] @@ -1953,17 +1954,17 @@ example: 123456789 **`faas.trigger.type`** -: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other +: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other type: keyword example: http +## file [_file] -## file [_file_2] - -A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. **`file.accessed`** : Last time the file was accessed. Note that not all filesystems keep track of access time. @@ -1972,7 +1973,7 @@ type: date **`file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -2112,7 +2113,7 @@ example: Intel **`file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -2350,7 +2351,7 @@ example: 256383 **`file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -2378,7 +2379,7 @@ example: example.png **`file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -2430,7 +2431,7 @@ example: 6.3.9600.17415 **`file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -2504,7 +2505,7 @@ example: Example SHA2 High Assurance Server CA **`file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -2610,7 +2611,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -2626,7 +2627,7 @@ example: shared.global.example.net **`file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -2679,10 +2680,10 @@ type: keyword example: 3 - ## geo [_geo] -Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. **`geo.city_name`** : City name. @@ -2693,7 +2694,7 @@ example: Montreal **`geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -2772,8 +2773,7 @@ type: keyword example: America/Argentina/Buenos_Aires - -## group [_group_3] +## group [_group] The group fields are meant to represent groups that are relevant to the event. @@ -2795,10 +2795,11 @@ type: keyword type: keyword - ## hash [_hash] -The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). +The hash fields represent different bitwise hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). **`hash.md5`** : MD5 hash. @@ -2830,10 +2831,10 @@ type: keyword type: keyword - ## host [_host] -A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. **`host.architecture`** : Operating system architecture. @@ -2862,7 +2863,7 @@ type: long **`host.domain`** -: Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. +: Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword @@ -2878,7 +2879,7 @@ example: Montreal **`host.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3062,7 +3063,7 @@ example: darwin **`host.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3091,7 +3092,6 @@ type: long example: 1325 - ## http [_http] Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3145,7 +3145,7 @@ example: POST **`http.request.mime_type`** -: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients. +: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. type: keyword @@ -3157,7 +3157,7 @@ example: image/gif type: keyword -example: [https://blog.example.com/](https://blog.example.com/) +example: https://blog.example.com/ **`http.response.body.bytes`** @@ -3193,7 +3193,7 @@ format: bytes **`http.response.mime_type`** -: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers. +: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. type: keyword @@ -3218,7 +3218,6 @@ type: keyword example: 1.1 - ## interface [_interface] The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. @@ -3247,13 +3246,14 @@ type: keyword example: eth0 - ## log [_log] -Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. **`log.file.path`** -: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. +: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. type: keyword @@ -3261,7 +3261,7 @@ example: /var/log/fun-times.log **`log.level`** -: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. +: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. type: keyword @@ -3335,7 +3335,7 @@ format: string **`log.syslog.severity.code`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. type: long @@ -3343,20 +3343,20 @@ example: 3 **`log.syslog.severity.name`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword example: Error - ## network [_network] -The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. **`network.application`** -: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. +: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. type: keyword @@ -3374,7 +3374,7 @@ format: bytes **`network.community_id`** -: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec). +: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. type: keyword @@ -3382,9 +3382,7 @@ example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= **`network.direction`** -: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown - -When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. +: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. type: keyword @@ -3400,7 +3398,7 @@ example: 192.1.1.2 **`network.iana_number`** -: IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword @@ -3485,10 +3483,10 @@ type: keyword example: outside - ## observer [_observer] -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. **`observer.egress`** : Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. @@ -3553,7 +3551,7 @@ example: Montreal **`observer.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3763,7 +3761,7 @@ example: darwin **`observer.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3814,7 +3812,6 @@ example: Symantec type: keyword - ## orchestrator [_orchestrator] Fields that describe the resources which container orchestrators manage or act upon. @@ -3885,10 +3882,10 @@ type: keyword example: kubernetes - ## organization [_organization] -The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. **`organization.id`** : Unique identifier for the organization. @@ -3906,7 +3903,6 @@ type: keyword : type: match_only_text - ## os [_os] The OS fields contain information about the operating system. @@ -3960,7 +3956,7 @@ example: darwin **`os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3975,7 +3971,6 @@ type: keyword example: 10.14.1 - ## package [_package] These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. @@ -4027,7 +4022,7 @@ type: date **`package.license`** -: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)). +: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword @@ -4055,7 +4050,7 @@ example: /usr/local/Cellar/go/1.12.9/ type: keyword -example: [https://golang.org](https://golang.org) +example: https://golang.org **`package.size`** @@ -4084,7 +4079,6 @@ type: keyword example: 1.12.9 - ## pe [_pe] These fields contain Windows Portable Executable (PE) metadata. @@ -4122,7 +4116,7 @@ example: 6.3.9600.17415 **`pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -4145,10 +4139,10 @@ type: keyword example: Microsoft® Windows® Operating System +## process [_process] -## process [_process_2] - -These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. **`process.args`** : Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. @@ -4275,7 +4269,7 @@ example: Intel **`process.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4645,7 +4639,7 @@ example: Intel **`process.parent.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4923,7 +4917,7 @@ example: 6.3.9600.17415 **`process.parent.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5053,7 +5047,7 @@ example: 6.3.9600.17415 **`process.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5150,7 +5144,6 @@ example: /home/alice : type: match_only_text - ## registry [_registry] Fields related to Windows Registry operations. @@ -5211,13 +5204,14 @@ type: keyword example: Debugger - ## related [_related] -This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. **`related.hash`** -: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search). +: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). type: keyword @@ -5240,10 +5234,10 @@ type: ip type: keyword - ## rule [_rule] -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. **`rule.author`** : Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. @@ -5294,11 +5288,11 @@ example: BLOCK_DNS_over_TLS **`rule.reference`** -: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. +: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. type: keyword -example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) +example: https://en.wikipedia.org/wiki/DNS_over_TLS **`rule.ruleset`** @@ -5325,10 +5319,11 @@ type: keyword example: 1.1 - ## server [_server] -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`server.address`** : Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5383,7 +5378,7 @@ example: Montreal **`server.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -5507,7 +5502,7 @@ format: string **`server.registered_domain`** -: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -5523,7 +5518,7 @@ example: east **`server.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5543,7 +5538,7 @@ type: keyword **`server.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -5606,10 +5601,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## service [_service] -The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. **`service.address`** : Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). @@ -5652,7 +5647,7 @@ example: elasticsearch-metrics **`service.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5700,7 +5695,7 @@ example: elasticsearch-metrics **`service.origin.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5776,7 +5771,7 @@ example: elasticsearch-metrics **`service.target.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5821,10 +5816,10 @@ type: keyword example: 3.2.4 +## source [_source] -## source [_source_2] - -Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`source.address`** : Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5879,7 +5874,7 @@ example: Montreal **`source.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6003,7 +5998,7 @@ format: string **`source.registered_domain`** -: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -6019,7 +6014,7 @@ example: east **`source.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6039,7 +6034,7 @@ type: keyword **`source.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -6102,10 +6097,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## threat [_threat] -Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). **`threat.enrichments`** : A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -6140,7 +6135,7 @@ example: Google LLC **`threat.enrichments.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -6160,7 +6155,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.enrichments.indicator.file.accessed`** @@ -6170,7 +6165,7 @@ type: date **`threat.enrichments.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -6310,7 +6305,7 @@ example: Intel **`threat.enrichments.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -6548,7 +6543,7 @@ example: 256383 **`threat.enrichments.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -6576,7 +6571,7 @@ example: example.png **`threat.enrichments.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -6628,7 +6623,7 @@ example: 6.3.9600.17415 **`threat.enrichments.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -6702,7 +6697,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -6808,7 +6803,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -6824,7 +6819,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -6894,7 +6889,7 @@ example: Montreal **`threat.enrichments.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6990,7 +6985,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.enrichments.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -7014,7 +7009,7 @@ example: 443 **`threat.enrichments.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -7026,7 +7021,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.enrichments.indicator.registry.data.bytes`** @@ -7102,7 +7097,7 @@ example: 20 **`threat.enrichments.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -7136,7 +7131,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.enrichments.indicator.url.full.text`** @@ -7148,7 +7143,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.enrichments.indicator.url.original.text`** @@ -7184,7 +7179,7 @@ type: keyword **`threat.enrichments.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -7208,7 +7203,7 @@ example: east **`threat.enrichments.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7238,7 +7233,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -7344,7 +7339,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -7360,7 +7355,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -7490,7 +7485,7 @@ example: FIN6 type: keyword -example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/) +example: https://attack.mitre.org/groups/G0037/ **`threat.indicator.as.number`** @@ -7514,7 +7509,7 @@ example: Google LLC **`threat.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -7534,7 +7529,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.indicator.file.accessed`** @@ -7544,7 +7539,7 @@ type: date **`threat.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -7684,7 +7679,7 @@ example: Intel **`threat.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -7922,7 +7917,7 @@ example: 256383 **`threat.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -7950,7 +7945,7 @@ example: example.png **`threat.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -8002,7 +7997,7 @@ example: 6.3.9600.17415 **`threat.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -8076,7 +8071,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8182,7 +8177,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8198,7 +8193,7 @@ example: shared.global.example.net **`threat.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8268,7 +8263,7 @@ example: Montreal **`threat.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -8364,7 +8359,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -8388,7 +8383,7 @@ example: 443 **`threat.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -8400,7 +8395,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.indicator.registry.data.bytes`** @@ -8476,7 +8471,7 @@ example: 20 **`threat.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -8510,7 +8505,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.indicator.url.full.text`** @@ -8522,7 +8517,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.indicator.url.original.text`** @@ -8558,7 +8553,7 @@ type: keyword **`threat.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -8582,7 +8577,7 @@ example: east **`threat.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8612,7 +8607,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8718,7 +8713,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8734,7 +8729,7 @@ example: shared.global.example.net **`threat.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8812,9 +8807,7 @@ example: AdFind **`threat.software.platforms`** -: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows - -While not required, you can use a MITRE ATT&CK® software platforms. +: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows While not required, you can use a MITRE ATT&CK® software platforms. type: keyword @@ -8826,22 +8819,19 @@ example: [ "Windows" ] type: keyword -example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/) +example: https://attack.mitre.org/software/S0552/ **`threat.software.type`** -: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool +: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool While not required, you can use a MITRE ATT&CK® software type. -``` -While not required, you can use a MITRE ATT&CK® software type. -``` type: keyword example: Tool **`threat.tactic.id`** -: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -8849,7 +8839,7 @@ example: TA0002 **`threat.tactic.name`** -: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)) +: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword @@ -8857,15 +8847,15 @@ example: Execution **`threat.tactic.reference`** -: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword -example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) +example: https://attack.mitre.org/tactics/TA0002/ **`threat.technique.id`** -: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8873,7 +8863,7 @@ example: T1059 **`threat.technique.name`** -: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8885,15 +8875,15 @@ example: Command and Scripting Interpreter **`threat.technique.reference`** -: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/) +example: https://attack.mitre.org/techniques/T1059/ **`threat.technique.subtechnique.id`** -: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8901,7 +8891,7 @@ example: T1059.001 **`threat.technique.subtechnique.name`** -: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8913,12 +8903,11 @@ example: PowerShell **`threat.technique.subtechnique.reference`** -: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/) - +example: https://attack.mitre.org/techniques/T1059/001/ ## tls [_tls] @@ -8938,7 +8927,7 @@ example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 type: keyword -example: MII… +example: MII... **`tls.client.certificate_chain`** @@ -8946,7 +8935,7 @@ example: MII… type: keyword -example: ["MII… ", "MII… "] +example: ["MII...", "MII..."] **`tls.client.hash.md5`** @@ -9026,7 +9015,7 @@ example: CN=myclient, OU=Documentation Team, DC=example, DC=com type: keyword -example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "… "] +example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] **`tls.client.x509.alternative_names`** @@ -9046,7 +9035,7 @@ example: Example SHA2 High Assurance Server CA **`tls.client.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9152,7 +9141,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.client.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9168,7 +9157,7 @@ example: shared.global.example.net **`tls.client.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9236,7 +9225,7 @@ type: boolean **`tls.next_protocol`** -: String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case. +: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword @@ -9254,7 +9243,7 @@ type: boolean type: keyword -example: MII… +example: MII... **`tls.server.certificate_chain`** @@ -9262,7 +9251,7 @@ example: MII… type: keyword -example: ["MII… ", "MII… "] +example: ["MII...", "MII..."] **`tls.server.hash.md5`** @@ -9346,7 +9335,7 @@ example: Example SHA2 High Assurance Server CA **`tls.server.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9452,7 +9441,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.server.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9468,7 +9457,7 @@ example: shared.global.example.net **`tls.server.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9561,7 +9550,6 @@ type: keyword example: 00f067aa0ba902b7 - ## url [_url] URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -9593,7 +9581,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`url.full.text`** @@ -9605,7 +9593,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`url.original.text`** @@ -9641,7 +9629,7 @@ type: keyword **`url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -9665,7 +9653,7 @@ example: east **`url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9678,10 +9666,10 @@ example: co.uk type: keyword +## user [_user] -## user [_user_2] - -The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. **`user.changes.domain`** : Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. @@ -9696,7 +9684,7 @@ type: keyword **`user.changes.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9778,7 +9766,7 @@ type: keyword **`user.effective.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9848,7 +9836,7 @@ type: keyword **`user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9924,7 +9912,7 @@ type: keyword **`user.target.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9987,10 +9975,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## user_agent [_user_agent] -The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. **`user_agent.device.name`** : Name of the device. @@ -10069,7 +10057,7 @@ example: darwin **`user_agent.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -10092,10 +10080,12 @@ type: keyword example: 12.0 - ## vlan [_vlan] -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. **`vlan.id`** : VLAN ID as reported by the observer. @@ -10113,13 +10103,12 @@ type: keyword example: outside - ## vulnerability [_vulnerability] The vulnerability fields describe information about a vulnerability that is relevant to an event. **`vulnerability.category`** -: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array. +: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. type: keyword @@ -10127,7 +10116,7 @@ example: ["Firewall"] **`vulnerability.classification`** -: The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/)) +: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword @@ -10135,11 +10124,11 @@ example: CVSS **`vulnerability.description`** -: The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)) +: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword -example: In macOS before 2.12.6, there is a vulnerability in the RPC… +example: In macOS before 2.12.6, there is a vulnerability in the RPC... **`vulnerability.description.text`** @@ -10147,7 +10136,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC… **`vulnerability.enumeration`** -: The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/)) +: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword @@ -10155,7 +10144,7 @@ example: CVE **`vulnerability.id`** -: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id)) +: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] type: keyword @@ -10167,7 +10156,7 @@ example: CVE-2019-00001 type: keyword -example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111) +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 **`vulnerability.report_id`** @@ -10187,7 +10176,7 @@ example: Tenable **`vulnerability.score.base`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) type: float @@ -10195,7 +10184,7 @@ example: 5.5 **`vulnerability.score.environmental`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) type: float @@ -10203,13 +10192,13 @@ example: 5.5 **`vulnerability.score.temporal`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) type: float **`vulnerability.score.version`** -: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword @@ -10217,17 +10206,18 @@ example: 2.0 **`vulnerability.severity`** -: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword example: Critical - ## x509 [_x509] -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. **`x509.alternative_names`** : List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. @@ -10246,7 +10236,7 @@ example: Example SHA2 High Assurance Server CA **`x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -10352,7 +10342,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -10368,7 +10358,7 @@ example: shared.global.example.net **`x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword diff --git a/docs/reference/auditbeat/exported-fields-file_integrity.md b/docs/reference/auditbeat/exported-fields-file_integrity.md index 6b3ed764019e..5628dfae2dd6 100644 --- a/docs/reference/auditbeat/exported-fields-file_integrity.md +++ b/docs/reference/auditbeat/exported-fields-file_integrity.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-file_integrity.html --- +% This file is generated! See scripts/generate_fields_docs.py + # File Integrity fields [exported-fields-file_integrity] These are the fields generated by the file_integrity module. - -## file [_file_3] +## file [_file] File attributes. - -## elf [_elf_2] +## elf [_elf] These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -85,7 +85,6 @@ type: long format: number - ## macho [_macho] These fields contain Mach object file Format (Mach-O) metadata. @@ -208,8 +207,7 @@ type: keyword example: d3ccf195b62a9279c3c19af1080497ec - -## pe [_pe_2] +## pe [_pe] These fields contain Windows Portable Executable (PE) metadata. @@ -321,8 +319,7 @@ type: long format: string - -## hash [_hash_2] +## hash [_hash] Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values. diff --git a/docs/reference/auditbeat/exported-fields-host-processor.md b/docs/reference/auditbeat/exported-fields-host-processor.md index 000cd178de6c..c1815834913d 100644 --- a/docs/reference/auditbeat/exported-fields-host-processor.md +++ b/docs/reference/auditbeat/exported-fields-host-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-host-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Host fields [exported-fields-host-processor] Info collected for the host machine. diff --git a/docs/reference/auditbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/auditbeat/exported-fields-jolokia-autodiscover.md index c6cb8d08936c..91050d3cf58e 100644 --- a/docs/reference/auditbeat/exported-fields-jolokia-autodiscover.md +++ b/docs/reference/auditbeat/exported-fields-jolokia-autodiscover.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-jolokia-autodiscover.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover] Metadata from Jolokia Discovery added by the jolokia provider. @@ -26,7 +28,7 @@ type: keyword **`jolokia.server.version`** -: The container’s version (if detected). +: The container's version (if detected). type: keyword diff --git a/docs/reference/auditbeat/exported-fields-kubernetes-processor.md b/docs/reference/auditbeat/exported-fields-kubernetes-processor.md index e7e61358f7f0..366a47622ea5 100644 --- a/docs/reference/auditbeat/exported-fields-kubernetes-processor.md +++ b/docs/reference/auditbeat/exported-fields-kubernetes-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-kubernetes-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kubernetes fields [exported-fields-kubernetes-processor] Kubernetes metadata added by the kubernetes processor diff --git a/docs/reference/auditbeat/exported-fields-process.md b/docs/reference/auditbeat/exported-fields-process.md index 91f014574da2..531401b5810f 100644 --- a/docs/reference/auditbeat/exported-fields-process.md +++ b/docs/reference/auditbeat/exported-fields-process.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-process.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Process fields [exported-fields-process] Process metadata fields @@ -13,7 +15,6 @@ Process metadata fields alias to: process.executable - ## owner [_owner] Process owner information. diff --git a/docs/reference/auditbeat/exported-fields-system.md b/docs/reference/auditbeat/exported-fields-system.md index 913ca9a32c33..28733b2b9fe1 100644 --- a/docs/reference/auditbeat/exported-fields-system.md +++ b/docs/reference/auditbeat/exported-fields-system.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-system.html --- +% This file is generated! See scripts/generate_fields_docs.py + # System fields [exported-fields-system] These are the fields generated by the system module. @@ -41,8 +43,7 @@ type: keyword example: ["CAP_BPF", "CAP_SYS_ADMIN"] - -## hash [_hash_3] +## hash [_hash] Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values. @@ -118,11 +119,11 @@ type: keyword type: keyword +## system.audit [_system.audit] -## system.audit [_system_audit] -## host [_host_2] +## host [_host] `host` contains general host information. @@ -188,8 +189,7 @@ type: keyword type: ip - -## os [_os_2] +## os [_os] `os` contains information about the operating system. @@ -224,7 +224,7 @@ type: keyword **`system.audit.host.os.kernel`** -: The operating system’s kernel version. +: The operating system's kernel version. type: keyword @@ -235,13 +235,12 @@ type: keyword type: keyword - -## package [_package_2] +## package [_package] `package` contains information about an installed or removed package. **`system.audit.package.entity_id`** -: ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version. +: ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version. type: keyword @@ -298,8 +297,7 @@ type: long type: keyword - -## user [_user_3] +## user [_user] `user` contains information about the users on a system. @@ -322,7 +320,7 @@ type: keyword **`system.audit.user.dir`** -: User’s home directory. +: User's home directory. type: keyword @@ -340,24 +338,23 @@ type: keyword **`system.audit.user.group`** -: `group` contains information about any groups the user is part of (beyond the user’s primary group). +: `group` contains information about any groups the user is part of (beyond the user's primary group). type: object +## password [_password] -## password [_password_5] - -`password` contains information about a user’s password (not the password itself). +`password` contains information about a user's password (not the password itself). **`system.audit.user.password.type`** -: A user’s password type. Possible values are `shadow_password` (the password hash is in the shadow file), `password_disabled`, `no_password` (this is dangerous as anyone can log in), and `crypt_password` (when the password field in /etc/passwd seems to contain an encrypted password). +: A user's password type. Possible values are `shadow_password` (the password hash is in the shadow file), `password_disabled`, `no_password` (this is dangerous as anyone can log in), and `crypt_password` (when the password field in /etc/passwd seems to contain an encrypted password). type: keyword **`system.audit.user.password.last_changed`** -: The day the user’s password was last changed. +: The day the user's password was last changed. type: date diff --git a/docs/reference/auditbeat/exported-fields.md b/docs/reference/auditbeat/exported-fields.md index 61e48cfd67aa..88da3de3d872 100644 --- a/docs/reference/auditbeat/exported-fields.md +++ b/docs/reference/auditbeat/exported-fields.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Exported fields [exported-fields] This document describes the fields that are exported by Auditbeat. They are grouped in the following categories: @@ -19,4 +21,3 @@ This document describes the fields that are exported by Auditbeat. They are grou * [*Kubernetes fields*](/reference/auditbeat/exported-fields-kubernetes-processor.md) * [*Process fields*](/reference/auditbeat/exported-fields-process.md) * [*System fields*](/reference/auditbeat/exported-fields-system.md) - diff --git a/docs/reference/filebeat/exported-fields-activemq.md b/docs/reference/filebeat/exported-fields-activemq.md index 71b9572ca970..13813a972e95 100644 --- a/docs/reference/filebeat/exported-fields-activemq.md +++ b/docs/reference/filebeat/exported-fields-activemq.md @@ -3,13 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-activemq.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ActiveMQ fields [exported-fields-activemq] Module for parsing ActiveMQ log files. - ## activemq [_activemq] + + **`activemq.caller`** : Name of the caller issuing the logging request (class or resource). @@ -28,12 +31,10 @@ type: keyword type: keyword - ## audit [_audit] Fields from ActiveMQ audit logs. - ## log [_log] Fields from ActiveMQ application logs. diff --git a/docs/reference/filebeat/exported-fields-apache.md b/docs/reference/filebeat/exported-fields-apache.md index 259bb6fee646..72057389ad2c 100644 --- a/docs/reference/filebeat/exported-fields-apache.md +++ b/docs/reference/filebeat/exported-fields-apache.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-apache.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Apache fields [exported-fields-apache] Apache Module - ## apache [_apache] Apache fields. - ## access [_access] Contains fields for the Apache HTTP Server access logs. @@ -29,7 +29,6 @@ type: keyword type: keyword - ## error [_error] Fields from the Apache error logs. diff --git a/docs/reference/filebeat/exported-fields-auditd.md b/docs/reference/filebeat/exported-fields-auditd.md index 86db1a334e57..0298df6dcf1e 100644 --- a/docs/reference/filebeat/exported-fields-auditd.md +++ b/docs/reference/filebeat/exported-fields-auditd.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-auditd.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Auditd fields [exported-fields-auditd] Module for parsing auditd logs. @@ -117,13 +119,11 @@ type: keyword type: keyword - ## auditd [_auditd] Fields from the auditd logs. - -## log [_log_2] +## log [_log] Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type. diff --git a/docs/reference/filebeat/exported-fields-aws-cloudwatch.md b/docs/reference/filebeat/exported-fields-aws-cloudwatch.md index 847bb00da8eb..970fa3566541 100644 --- a/docs/reference/filebeat/exported-fields-aws-cloudwatch.md +++ b/docs/reference/filebeat/exported-fields-aws-cloudwatch.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-aws-cloudwatch.html --- +% This file is generated! See scripts/generate_fields_docs.py + # AWS CloudWatch fields [exported-fields-aws-cloudwatch] Fields from AWS CloudWatch logs. - -## aws.cloudwatch [_aws_cloudwatch] +## aws.cloudwatch [_aws.cloudwatch] Fields from AWS CloudWatch logs. diff --git a/docs/reference/filebeat/exported-fields-aws.md b/docs/reference/filebeat/exported-fields-aws.md index 82c2d0f244b5..a2e1b62432d9 100644 --- a/docs/reference/filebeat/exported-fields-aws.md +++ b/docs/reference/filebeat/exported-fields-aws.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-aws.html --- +% This file is generated! See scripts/generate_fields_docs.py + # AWS fields [exported-fields-aws] Module for handling logs from AWS. - ## aws [_aws] Fields from AWS logs. - ## cloudtrail [_cloudtrail] Fields for AWS CloudTrail logs. @@ -23,7 +23,6 @@ Fields for AWS CloudTrail logs. type: keyword - ## user_identity [_user_identity] The userIdentity element contains details about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the element shows how the credentials were obtained. @@ -46,7 +45,6 @@ type: keyword type: keyword - ## session_context [_session_context] If the request was made with temporary security credentials, an element that provides information about the session that was created for those credentials @@ -63,7 +61,6 @@ type: keyword type: date - ## session_issuer [_session_issuer] If the request was made with temporary security credentials, an element that provides information about how the credentials were obtained. @@ -170,7 +167,6 @@ type: keyword type: keyword - ## resources [_resources] A list of resources accessed in the event. @@ -222,21 +218,15 @@ type: keyword **`aws.cloudtrail.event_category`** -: Shows the event category that is used in LookupEvents calls. - -* For management events, the value is management. -* For data events, the value is data. -* For Insights events, the value is insight. +: Shows the event category that is used in LookupEvents calls. - For management events, the value is management. - For data events, the value is data. - For Insights events, the value is insight. type: keyword - ## console_login [_console_login] Fields specific to ConsoleLogin events - ## additional_eventdata [_additional_eventdata] Additional Event Data for ConsoleLogin events @@ -259,10 +249,9 @@ type: keyword type: boolean - ## flattened [_flattened] -ES flattened datatype for objects where the subfields aren’t known in advance. +ES flattened datatype for objects where the subfields aren't known in advance. **`aws.cloudtrail.flattened.additional_eventdata`** : Additional data about the event that was not part of the request or response. @@ -288,7 +277,6 @@ type: flattened type: flattened - ## digest [_digest] Fields from Cloudtrail Digest Logs @@ -365,7 +353,6 @@ type: keyword type: flattened - ## cloudwatch [_cloudwatch] Fields for AWS CloudWatch logs. @@ -376,7 +363,6 @@ Fields for AWS CloudWatch logs. type: text - ## ec2 [_ec2] Fields for AWS EC2 logs in CloudWatch. @@ -387,7 +373,6 @@ Fields for AWS EC2 logs in CloudWatch. type: keyword - ## elb [_elb] Fields for AWS ELB logs. @@ -519,7 +504,7 @@ type: keyword **`aws.elb.action_executed`** -: The action executed when processing the request (forward, fixed-response, authenticate…). It can contain several values. +: The action executed when processing the request (forward, fixed-response, authenticate...). It can contain several values. type: keyword @@ -560,7 +545,6 @@ type: keyword type: keyword - ## s3access [_s3access] Fields for AWS S3 server access logs. @@ -638,7 +622,7 @@ type: long **`aws.s3access.total_time`** -: The number of milliseconds the request was in flight from the server’s perspective. +: The number of milliseconds the request was in flight from the server's perspective. type: long @@ -703,7 +687,6 @@ type: keyword type: keyword - ## vpcflow [_vpcflow] Fields for AWS VPC flow logs. @@ -739,7 +722,7 @@ type: keyword **`aws.vpcflow.instance_id`** -: The ID of the instance that’s associated with network interface for which the traffic is recorded, if the instance is owned by you. +: The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. type: keyword @@ -775,7 +758,7 @@ type: keyword **`aws.vpcflow.tcp_flags_array`** -: List of TCP flags: *fin, syn, rst, psh, ack, urg* +: List of TCP flags: 'fin, syn, rst, psh, ack, urg' type: keyword diff --git a/docs/reference/filebeat/exported-fields-awsfargate.md b/docs/reference/filebeat/exported-fields-awsfargate.md index 2f5da54155bc..be185333c012 100644 --- a/docs/reference/filebeat/exported-fields-awsfargate.md +++ b/docs/reference/filebeat/exported-fields-awsfargate.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-awsfargate.html --- +% This file is generated! See scripts/generate_fields_docs.py + # AWS Fargate fields [exported-fields-awsfargate] Module for collecting container logs from Amazon ECS Fargate. - ## awsfargate [_awsfargate] Fields from Amazon ECS Fargate logs. - -## log [_log_3] +## log [_log] Fields for Amazon Fargate container logs. diff --git a/docs/reference/filebeat/exported-fields-azure.md b/docs/reference/filebeat/exported-fields-azure.md index c21190a4acbb..139894295c79 100644 --- a/docs/reference/filebeat/exported-fields-azure.md +++ b/docs/reference/filebeat/exported-fields-azure.md @@ -3,13 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-azure.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Azure fields [exported-fields-azure] Azure Module - ## azure [_azure] + + **`azure.subscription_id`** : Azure subscription ID @@ -28,7 +31,6 @@ type: keyword type: keyword - ## resource [_resource] Resource @@ -69,7 +71,6 @@ type: keyword type: keyword - ## activitylogs [_activitylogs] Fields for Azure activity logs. @@ -80,12 +81,10 @@ Fields for Azure activity logs. type: keyword - ## identity [_identity] Identity - ## claims_initiated_by_user [_claims_initiated_by_user] Claims initiated by user @@ -126,7 +125,6 @@ type: keyword type: object - ## authorization [_authorization] Authorization @@ -143,7 +141,6 @@ type: keyword type: keyword - ## evidence [_evidence] Evidence @@ -238,7 +235,6 @@ type: keyword type: flattened - ## auditlogs [_auditlogs] Fields for Azure audit logs. @@ -279,7 +275,6 @@ type: keyword type: keyword - ## properties [_properties] The audit log properties @@ -338,8 +333,7 @@ type: date type: keyword - -## target_resources.* [_target_resources] +## target_resources.* [_target_resources.*] Target resources @@ -373,8 +367,7 @@ type: keyword type: keyword - -## modified_properties.* [_modified_properties] +## modified_properties.* [_modified_properties.*] Modified properties @@ -396,12 +389,10 @@ type: keyword type: keyword - ## initiated_by [_initiated_by] Information regarding the initiator - ## app [_app] App @@ -430,7 +421,6 @@ type: keyword type: keyword - ## user [_user] User @@ -459,7 +449,6 @@ type: keyword type: keyword - ## platformlogs [_platformlogs] Fields for Azure platform logs. @@ -554,7 +543,6 @@ type: keyword type: flattened - ## signinlogs [_signinlogs] Fields for Azure sign-in logs. diff --git a/docs/reference/filebeat/exported-fields-beat-common.md b/docs/reference/filebeat/exported-fields-beat-common.md index a08765d86088..861823e1f0a3 100644 --- a/docs/reference/filebeat/exported-fields-beat-common.md +++ b/docs/reference/filebeat/exported-fields-beat-common.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-beat-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Beat fields [exported-fields-beat-common] Contains common beat fields available in all event types. diff --git a/docs/reference/filebeat/exported-fields-cef-module.md b/docs/reference/filebeat/exported-fields-cef-module.md index e1262cd78bfd..d9b44d77301c 100644 --- a/docs/reference/filebeat/exported-fields-cef-module.md +++ b/docs/reference/filebeat/exported-fields-cef-module.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cef-module.html --- +% This file is generated! See scripts/generate_fields_docs.py + # CEF fields [exported-fields-cef-module] Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. - ## forcepoint [_forcepoint] Fields for Forcepoint Custom String mappings @@ -18,7 +19,6 @@ Fields for Forcepoint Custom String mappings type: keyword - ## checkpoint [_checkpoint] Fields for Check Point custom string mappings. @@ -269,8 +269,7 @@ type: keyword type: keyword - -## cef.extensions [_cef_extensions] +## cef.extensions [_cef.extensions] Extra vendor-specific extensions. diff --git a/docs/reference/filebeat/exported-fields-cef.md b/docs/reference/filebeat/exported-fields-cef.md index cb260b32f100..ec432d76e959 100644 --- a/docs/reference/filebeat/exported-fields-cef.md +++ b/docs/reference/filebeat/exported-fields-cef.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cef.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Decode CEF processor fields fields [exported-fields-cef] Common Event Format (CEF) data. - ## cef [_cef] By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data. @@ -56,7 +57,6 @@ example: Very-High type: keyword - ## extensions [_extensions] Collection of key-value pairs carried in the CEF extension field. @@ -200,13 +200,13 @@ type: keyword **`cef.extensions.destinationGeoLatitude`** -: The latitudinal value from which the destination’s IP address belongs. +: The latitudinal value from which the destination's IP address belongs. type: double **`cef.extensions.destinationGeoLongitude`** -: The longitudinal value from which the destination’s IP address belongs. +: The longitudinal value from which the destination's IP address belongs. type: double @@ -242,7 +242,7 @@ type: long **`cef.extensions.destinationProcessName`** -: The name of the event’s destination process. +: The name of the event's destination process. type: keyword @@ -284,13 +284,13 @@ type: keyword **`cef.extensions.destinationUserName`** -: Identifies the destination user by name. This is the user associated with the event’s destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. +: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. type: keyword **`cef.extensions.destinationUserPrivileges`** -: The typical values are "Administrator", "User", and "Guest". This identifies the destination user’s privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". +: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". type: keyword @@ -704,7 +704,7 @@ type: long **`cef.extensions.eventOutcome`** -: Displays the outcome, usually as *success* or *failure*. +: Displays the outcome, usually as 'success' or 'failure'. type: keyword @@ -932,7 +932,7 @@ type: double **`cef.extensions.sourceHostName`** -: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: *host* or *host.domain.com*. +: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'. type: keyword @@ -964,7 +964,7 @@ type: long **`cef.extensions.sourceProcessName`** -: The name of the event’s source process. +: The name of the event's source process. type: keyword @@ -1012,7 +1012,7 @@ type: keyword **`cef.extensions.sourceUserPrivileges`** -: The typical values are "Administrator", "User", and "Guest". It identifies the source user’s privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". +: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". type: keyword @@ -1060,7 +1060,7 @@ type: keyword **`cef.extensions.categoryBehavior`** -: Action or a behavior associated with an event. It’s what is being done to the object. +: Action or a behavior associated with an event. It's what is being done to the object. type: keyword diff --git a/docs/reference/filebeat/exported-fields-checkpoint.md b/docs/reference/filebeat/exported-fields-checkpoint.md index 5905e0056e24..d6d34c77fcc4 100644 --- a/docs/reference/filebeat/exported-fields-checkpoint.md +++ b/docs/reference/filebeat/exported-fields-checkpoint.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-checkpoint.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Checkpoint fields [exported-fields-checkpoint] Some checkpoint module - -## checkpoint [_checkpoint_2] +## checkpoint [_checkpoint] Module for parsing Checkpoint syslog. @@ -559,7 +560,7 @@ type: keyword **`checkpoint.sig_id`** -: Application’s signature ID which how it was detected by. +: Application's signature ID which how it was detected by. type: keyword @@ -799,7 +800,7 @@ type: keyword **`checkpoint.special_properties`** -: If this field is set to *1* the log will not be shown (in use for monitoring scan progress). +: If this field is set to '1' the log will not be shown (in use for monitoring scan progress). type: integer @@ -1291,7 +1292,7 @@ type: keyword **`checkpoint.mime_from`** -: Sender’s address. +: Sender's address. type: keyword @@ -1435,7 +1436,7 @@ type: keyword **`checkpoint.developer_certificate_name`** -: Name of the developer’s certificate that was used to sign the mobile application. +: Name of the developer's certificate that was used to sign the mobile application. type: keyword @@ -1489,7 +1490,7 @@ type: keyword **`checkpoint.email_status`** -: Describes the email’s state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended +: Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended type: keyword @@ -1795,19 +1796,19 @@ type: keyword **`checkpoint.parent_file_hash`** -: Archive’s hash in case of extracted files. +: Archive's hash in case of extracted files. type: keyword **`checkpoint.parent_file_name`** -: Archive’s name in case of extracted files. +: Archive's name in case of extracted files. type: keyword **`checkpoint.parent_file_uid`** -: Archive’s UID in case of extracted files. +: Archive's UID in case of extracted files. type: keyword @@ -2035,7 +2036,7 @@ type: keyword **`checkpoint.sip_reason`** -: Explains why *source_ip* isn’t allowed to redirect (handover). +: Explains why 'source_ip' isn't allowed to redirect (handover). type: keyword diff --git a/docs/reference/filebeat/exported-fields-cisco.md b/docs/reference/filebeat/exported-fields-cisco.md index c2683a3fcc9c..8cf0cb26c2d3 100644 --- a/docs/reference/filebeat/exported-fields-cisco.md +++ b/docs/reference/filebeat/exported-fields-cisco.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cisco.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Cisco fields [exported-fields-cisco] Module for handling Cisco network device logs. - -## cisco.amp [_cisco_amp] +## cisco.amp [_cisco.amp] Module for parsing Cisco AMP logs. @@ -325,7 +326,7 @@ type: flattened **`cisco.amp.mitre_tactics`** -: Array of all related mitre tactic ID’s +: Array of all related mitre tactic ID's type: keyword @@ -337,7 +338,7 @@ type: flattened **`cisco.amp.mitre_techniques`** -: Array of all related mitre technique ID’s +: Array of all related mitre technique ID's type: keyword @@ -354,8 +355,7 @@ type: keyword type: flattened - -## cisco.asa [_cisco_asa] +## cisco.asa [_cisco.asa] Fields for Cisco ASA Firewall. @@ -589,8 +589,7 @@ type: keyword type: keyword - -## cisco.ftd [_cisco_ftd] +## cisco.ftd [_cisco.ftd] Fields for Cisco Firepower Threat Defense Firewall. @@ -740,8 +739,7 @@ type: keyword type: keyword - -## cisco.ios [_cisco_ios] +## cisco.ios [_cisco.ios] Fields for Cisco IOS logs. @@ -759,8 +757,7 @@ type: keyword example: SEC - -## cisco.umbrella [_cisco_umbrella] +## cisco.umbrella [_cisco.umbrella] Fields for Cisco Umbrella. diff --git a/docs/reference/filebeat/exported-fields-cloud.md b/docs/reference/filebeat/exported-fields-cloud.md index 31d6f8a522cf..c8ed219077a7 100644 --- a/docs/reference/filebeat/exported-fields-cloud.md +++ b/docs/reference/filebeat/exported-fields-cloud.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cloud.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Cloud provider metadata fields [exported-fields-cloud] Metadata from cloud providers added by the add_cloud_metadata processor. diff --git a/docs/reference/filebeat/exported-fields-coredns.md b/docs/reference/filebeat/exported-fields-coredns.md index 6acf696e4d90..a409857207b7 100644 --- a/docs/reference/filebeat/exported-fields-coredns.md +++ b/docs/reference/filebeat/exported-fields-coredns.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-coredns.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Coredns fields [exported-fields-coredns] Module for handling logs produced by coredns - ## coredns [_coredns] coredns fields after normalization diff --git a/docs/reference/filebeat/exported-fields-crowdstrike.md b/docs/reference/filebeat/exported-fields-crowdstrike.md index 525f2c933d02..c35af28a6af2 100644 --- a/docs/reference/filebeat/exported-fields-crowdstrike.md +++ b/docs/reference/filebeat/exported-fields-crowdstrike.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-crowdstrike.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Crowdstrike fields [exported-fields-crowdstrike] Module for collecting Crowdstrike events. - ## crowdstrike [_crowdstrike] Fields for Crowdstrike Falcon event and alert data. - -## metadata [_metadata_2] +## metadata [_metadata] Meta data fields for each event that include type and timestamp. @@ -47,7 +47,6 @@ type: keyword type: keyword - ## event [_event] Event data fields for each event and alert. diff --git a/docs/reference/filebeat/exported-fields-cyberarkpas.md b/docs/reference/filebeat/exported-fields-cyberarkpas.md index 6bc21632e06a..c6724622d6eb 100644 --- a/docs/reference/filebeat/exported-fields-cyberarkpas.md +++ b/docs/reference/filebeat/exported-fields-cyberarkpas.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-cyberarkpas.html --- +% This file is generated! See scripts/generate_fields_docs.py + # CyberArk PAS fields [exported-fields-cyberarkpas] cyberarkpas fields. - -## audit [_audit_2] +## audit [_audit] Cyberark Privileged Access Security Audit fields. @@ -18,7 +19,6 @@ Cyberark Privileged Access Security Audit fields. type: keyword - ## ca_properties [_ca_properties] Account metadata. @@ -151,7 +151,6 @@ type: keyword type: keyword - ## extra_details [_extra_details] Specific extra details of the audit records. diff --git a/docs/reference/filebeat/exported-fields-docker-processor.md b/docs/reference/filebeat/exported-fields-docker-processor.md index 81cfd82e4f21..9ab088b0d0f4 100644 --- a/docs/reference/filebeat/exported-fields-docker-processor.md +++ b/docs/reference/filebeat/exported-fields-docker-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-docker-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Docker fields [exported-fields-docker-processor] Docker stats collected from Docker. diff --git a/docs/reference/filebeat/exported-fields-ecs.md b/docs/reference/filebeat/exported-fields-ecs.md index 72f2dccdb3d7..070641cf8451 100644 --- a/docs/reference/filebeat/exported-fields-ecs.md +++ b/docs/reference/filebeat/exported-fields-ecs.md @@ -3,14 +3,18 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-ecs.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ECS fields [exported-fields-ecs] -This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {{es}}. -This is an exhaustive list, and fields listed here are not necessarily used by Filebeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events. +This is an exhaustive list, and fields listed here are not necessarily used by Filebeat. +The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. See the [ECS reference](ecs://reference/index.md) for more information. - **`@timestamp`** : Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. @@ -45,10 +49,10 @@ type: keyword example: ["production", "env2"] - ## agent [_agent] -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. **`agent.build.original`** : Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. @@ -98,7 +102,6 @@ type: keyword example: 6.0.0-rc2 - ## as [_as] An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. @@ -123,10 +126,11 @@ example: Google LLC : type: match_only_text - ## client [_client] -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`client.address`** : Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -181,7 +185,7 @@ example: Montreal **`client.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -305,7 +309,7 @@ format: string **`client.registered_domain`** -: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -321,7 +325,7 @@ example: east **`client.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -341,7 +345,7 @@ type: keyword **`client.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -404,7 +408,6 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## cloud [_cloud] Fields related to the cloud or infrastructure the events are coming from. @@ -667,7 +670,6 @@ type: keyword example: lambda - ## code_signature [_code_signature] These fields contain information about binary code signatures. @@ -744,8 +746,7 @@ type: boolean example: true - -## container [_container_2] +## container [_container] Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -823,13 +824,14 @@ type: keyword example: docker - ## data_stream [_data_stream] -The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create). +The data_stream fields take part in defining the new data stream naming scheme. +In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. +An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. **`data_stream.dataset`** -: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters +: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -837,7 +839,7 @@ example: nginx.access **`data_stream.namespace`** -: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters +: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -852,10 +854,10 @@ type: constant_keyword example: logs - ## destination [_destination] -Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`destination.address`** : Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -910,7 +912,7 @@ example: Montreal **`destination.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -1034,7 +1036,7 @@ format: string **`destination.registered_domain`** -: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1050,7 +1052,7 @@ example: east **`destination.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1070,7 +1072,7 @@ type: keyword **`destination.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -1133,12 +1135,14 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## dll [_dll] These fields contain information about code libraries dynamically loaded into processes. -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS **`dll.code_signature.digest_algorithm`** : The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. @@ -1291,7 +1295,7 @@ example: 6.3.9600.17415 **`dll.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -1314,10 +1318,10 @@ type: keyword example: Microsoft® Windows® Operating System - ## dns [_dns] -Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). **`dns.answers`** : An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. @@ -1342,7 +1346,7 @@ example: 10.10.10.10 **`dns.answers.name`** -: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated. +: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. type: keyword @@ -1406,7 +1410,7 @@ example: www.example.com **`dns.question.registered_domain`** -: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1422,7 +1426,7 @@ example: www **`dns.question.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1461,13 +1465,12 @@ type: keyword example: answer - -## ecs [_ecs_2] +## ecs [_ecs] Meta-information specific to ECS. **`ecs.version`** -: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events. +: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword @@ -1476,7 +1479,6 @@ example: 1.0.0 required: True - ## elf [_elf] These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -1506,7 +1508,7 @@ example: Intel **`elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -1673,10 +1675,10 @@ type: keyword type: keyword +## error [_error] -## error [_error_2] - -These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. **`error.code`** : Error code describing the error. @@ -1714,10 +1716,10 @@ type: keyword example: java.lang.NullPointerException +## event [_event] -## event [_event_2] - -The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. **`event.action`** : The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. @@ -1728,7 +1730,7 @@ example: user-password-change **`event.agent_id_status`** -: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. +: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. type: keyword @@ -1752,7 +1754,7 @@ example: 4648 **`event.created`** -: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. type: date @@ -1760,7 +1762,7 @@ example: 2016-05-23T08:05:34.857Z **`event.dataset`** -: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. +: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword @@ -1798,7 +1800,7 @@ example: 8a4f500d **`event.ingested`** -: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. type: date @@ -1826,7 +1828,7 @@ example: apache type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 Field is not indexed. @@ -1860,11 +1862,11 @@ example: Terminated an unexpected process type: keyword -example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234) +example: https://system.example.com/event/#0001234 **`event.risk_score`** -: Risk score or priority of the event (e.g. security solutions). Use your system’s original value here. +: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1884,7 +1886,7 @@ format: string **`event.severity`** -: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. +: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. type: long @@ -1900,7 +1902,7 @@ type: date **`event.timezone`** -: This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +: This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). type: keyword @@ -1916,8 +1918,7 @@ type: keyword type: keyword -example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe) - +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe ## faas [_faas] @@ -1953,17 +1954,17 @@ example: 123456789 **`faas.trigger.type`** -: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other +: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other type: keyword example: http +## file [_file] -## file [_file_2] - -A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. **`file.accessed`** : Last time the file was accessed. Note that not all filesystems keep track of access time. @@ -1972,7 +1973,7 @@ type: date **`file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -2112,7 +2113,7 @@ example: Intel **`file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -2350,7 +2351,7 @@ example: 256383 **`file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -2378,7 +2379,7 @@ example: example.png **`file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -2430,7 +2431,7 @@ example: 6.3.9600.17415 **`file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -2504,7 +2505,7 @@ example: Example SHA2 High Assurance Server CA **`file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -2610,7 +2611,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -2626,7 +2627,7 @@ example: shared.global.example.net **`file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -2679,10 +2680,10 @@ type: keyword example: 3 - ## geo [_geo] -Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. **`geo.city_name`** : City name. @@ -2693,7 +2694,7 @@ example: Montreal **`geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -2772,7 +2773,6 @@ type: keyword example: America/Argentina/Buenos_Aires - ## group [_group] The group fields are meant to represent groups that are relevant to the event. @@ -2795,10 +2795,11 @@ type: keyword type: keyword - ## hash [_hash] -The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). +The hash fields represent different bitwise hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). **`hash.md5`** : MD5 hash. @@ -2830,10 +2831,10 @@ type: keyword type: keyword - ## host [_host] -A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. **`host.architecture`** : Operating system architecture. @@ -2862,7 +2863,7 @@ type: long **`host.domain`** -: Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. +: Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword @@ -2878,7 +2879,7 @@ example: Montreal **`host.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3062,7 +3063,7 @@ example: darwin **`host.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3091,7 +3092,6 @@ type: long example: 1325 - ## http [_http] Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3145,7 +3145,7 @@ example: POST **`http.request.mime_type`** -: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients. +: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. type: keyword @@ -3157,7 +3157,7 @@ example: image/gif type: keyword -example: [https://blog.example.com/](https://blog.example.com/) +example: https://blog.example.com/ **`http.response.body.bytes`** @@ -3193,7 +3193,7 @@ format: bytes **`http.response.mime_type`** -: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers. +: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. type: keyword @@ -3218,7 +3218,6 @@ type: keyword example: 1.1 - ## interface [_interface] The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. @@ -3247,13 +3246,14 @@ type: keyword example: eth0 +## log [_log] -## log [_log_4] - -Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. **`log.file.path`** -: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. +: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. type: keyword @@ -3261,7 +3261,7 @@ example: /var/log/fun-times.log **`log.level`** -: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. +: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. type: keyword @@ -3335,7 +3335,7 @@ format: string **`log.syslog.severity.code`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. type: long @@ -3343,20 +3343,20 @@ example: 3 **`log.syslog.severity.name`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword example: Error - ## network [_network] -The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. **`network.application`** -: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. +: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. type: keyword @@ -3374,7 +3374,7 @@ format: bytes **`network.community_id`** -: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec). +: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. type: keyword @@ -3382,9 +3382,7 @@ example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= **`network.direction`** -: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown - -When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. +: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. type: keyword @@ -3400,7 +3398,7 @@ example: 192.1.1.2 **`network.iana_number`** -: IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword @@ -3485,10 +3483,10 @@ type: keyword example: outside - ## observer [_observer] -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. **`observer.egress`** : Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. @@ -3553,7 +3551,7 @@ example: Montreal **`observer.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3763,7 +3761,7 @@ example: darwin **`observer.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3814,7 +3812,6 @@ example: Symantec type: keyword - ## orchestrator [_orchestrator] Fields that describe the resources which container orchestrators manage or act upon. @@ -3885,10 +3882,10 @@ type: keyword example: kubernetes - ## organization [_organization] -The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. **`organization.id`** : Unique identifier for the organization. @@ -3906,7 +3903,6 @@ type: keyword : type: match_only_text - ## os [_os] The OS fields contain information about the operating system. @@ -3960,7 +3956,7 @@ example: darwin **`os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3975,7 +3971,6 @@ type: keyword example: 10.14.1 - ## package [_package] These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. @@ -4027,7 +4022,7 @@ type: date **`package.license`** -: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)). +: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword @@ -4055,7 +4050,7 @@ example: /usr/local/Cellar/go/1.12.9/ type: keyword -example: [https://golang.org](https://golang.org) +example: https://golang.org **`package.size`** @@ -4084,7 +4079,6 @@ type: keyword example: 1.12.9 - ## pe [_pe] These fields contain Windows Portable Executable (PE) metadata. @@ -4122,7 +4116,7 @@ example: 6.3.9600.17415 **`pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -4145,10 +4139,10 @@ type: keyword example: Microsoft® Windows® Operating System +## process [_process] -## process [_process_2] - -These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. **`process.args`** : Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. @@ -4275,7 +4269,7 @@ example: Intel **`process.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4645,7 +4639,7 @@ example: Intel **`process.parent.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4923,7 +4917,7 @@ example: 6.3.9600.17415 **`process.parent.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5053,7 +5047,7 @@ example: 6.3.9600.17415 **`process.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5150,7 +5144,6 @@ example: /home/alice : type: match_only_text - ## registry [_registry] Fields related to Windows Registry operations. @@ -5211,13 +5204,14 @@ type: keyword example: Debugger - ## related [_related] -This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. **`related.hash`** -: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search). +: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). type: keyword @@ -5240,10 +5234,10 @@ type: ip type: keyword - ## rule [_rule] -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. **`rule.author`** : Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. @@ -5294,11 +5288,11 @@ example: BLOCK_DNS_over_TLS **`rule.reference`** -: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. +: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. type: keyword -example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) +example: https://en.wikipedia.org/wiki/DNS_over_TLS **`rule.ruleset`** @@ -5325,10 +5319,11 @@ type: keyword example: 1.1 - ## server [_server] -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`server.address`** : Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5383,7 +5378,7 @@ example: Montreal **`server.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -5507,7 +5502,7 @@ format: string **`server.registered_domain`** -: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -5523,7 +5518,7 @@ example: east **`server.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5543,7 +5538,7 @@ type: keyword **`server.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -5606,10 +5601,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## service [_service] -The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. **`service.address`** : Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). @@ -5652,7 +5647,7 @@ example: elasticsearch-metrics **`service.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5700,7 +5695,7 @@ example: elasticsearch-metrics **`service.origin.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5776,7 +5771,7 @@ example: elasticsearch-metrics **`service.target.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5821,10 +5816,10 @@ type: keyword example: 3.2.4 +## source [_source] -## source [_source_2] - -Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`source.address`** : Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5879,7 +5874,7 @@ example: Montreal **`source.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6003,7 +5998,7 @@ format: string **`source.registered_domain`** -: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -6019,7 +6014,7 @@ example: east **`source.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6039,7 +6034,7 @@ type: keyword **`source.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -6102,10 +6097,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## threat [_threat] -Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). **`threat.enrichments`** : A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -6140,7 +6135,7 @@ example: Google LLC **`threat.enrichments.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -6160,7 +6155,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.enrichments.indicator.file.accessed`** @@ -6170,7 +6165,7 @@ type: date **`threat.enrichments.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -6310,7 +6305,7 @@ example: Intel **`threat.enrichments.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -6548,7 +6543,7 @@ example: 256383 **`threat.enrichments.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -6576,7 +6571,7 @@ example: example.png **`threat.enrichments.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -6628,7 +6623,7 @@ example: 6.3.9600.17415 **`threat.enrichments.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -6702,7 +6697,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -6808,7 +6803,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -6824,7 +6819,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -6894,7 +6889,7 @@ example: Montreal **`threat.enrichments.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6990,7 +6985,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.enrichments.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -7014,7 +7009,7 @@ example: 443 **`threat.enrichments.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -7026,7 +7021,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.enrichments.indicator.registry.data.bytes`** @@ -7102,7 +7097,7 @@ example: 20 **`threat.enrichments.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -7136,7 +7131,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.enrichments.indicator.url.full.text`** @@ -7148,7 +7143,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.enrichments.indicator.url.original.text`** @@ -7184,7 +7179,7 @@ type: keyword **`threat.enrichments.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -7208,7 +7203,7 @@ example: east **`threat.enrichments.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7238,7 +7233,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -7344,7 +7339,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -7360,7 +7355,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -7490,7 +7485,7 @@ example: FIN6 type: keyword -example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/) +example: https://attack.mitre.org/groups/G0037/ **`threat.indicator.as.number`** @@ -7514,7 +7509,7 @@ example: Google LLC **`threat.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -7534,7 +7529,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.indicator.file.accessed`** @@ -7544,7 +7539,7 @@ type: date **`threat.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -7684,7 +7679,7 @@ example: Intel **`threat.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -7922,7 +7917,7 @@ example: 256383 **`threat.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -7950,7 +7945,7 @@ example: example.png **`threat.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -8002,7 +7997,7 @@ example: 6.3.9600.17415 **`threat.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -8076,7 +8071,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8182,7 +8177,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8198,7 +8193,7 @@ example: shared.global.example.net **`threat.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8268,7 +8263,7 @@ example: Montreal **`threat.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -8364,7 +8359,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -8388,7 +8383,7 @@ example: 443 **`threat.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -8400,7 +8395,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.indicator.registry.data.bytes`** @@ -8476,7 +8471,7 @@ example: 20 **`threat.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -8510,7 +8505,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.indicator.url.full.text`** @@ -8522,7 +8517,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.indicator.url.original.text`** @@ -8558,7 +8553,7 @@ type: keyword **`threat.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -8582,7 +8577,7 @@ example: east **`threat.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8612,7 +8607,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8718,7 +8713,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8734,7 +8729,7 @@ example: shared.global.example.net **`threat.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8812,9 +8807,7 @@ example: AdFind **`threat.software.platforms`** -: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows - -While not required, you can use a MITRE ATT&CK® software platforms. +: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows While not required, you can use a MITRE ATT&CK® software platforms. type: keyword @@ -8826,22 +8819,19 @@ example: [ "Windows" ] type: keyword -example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/) +example: https://attack.mitre.org/software/S0552/ **`threat.software.type`** -: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool +: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool While not required, you can use a MITRE ATT&CK® software type. -``` -While not required, you can use a MITRE ATT&CK® software type. -``` type: keyword example: Tool **`threat.tactic.id`** -: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -8849,7 +8839,7 @@ example: TA0002 **`threat.tactic.name`** -: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)) +: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword @@ -8857,15 +8847,15 @@ example: Execution **`threat.tactic.reference`** -: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword -example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) +example: https://attack.mitre.org/tactics/TA0002/ **`threat.technique.id`** -: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8873,7 +8863,7 @@ example: T1059 **`threat.technique.name`** -: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8885,15 +8875,15 @@ example: Command and Scripting Interpreter **`threat.technique.reference`** -: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/) +example: https://attack.mitre.org/techniques/T1059/ **`threat.technique.subtechnique.id`** -: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8901,7 +8891,7 @@ example: T1059.001 **`threat.technique.subtechnique.name`** -: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8913,12 +8903,11 @@ example: PowerShell **`threat.technique.subtechnique.reference`** -: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/) - +example: https://attack.mitre.org/techniques/T1059/001/ ## tls [_tls] @@ -8938,7 +8927,7 @@ example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 type: keyword -example: MII… +example: MII... **`tls.client.certificate_chain`** @@ -8946,7 +8935,7 @@ example: MII… type: keyword -example: ["MII…", "MII…"] +example: ["MII...", "MII..."] **`tls.client.hash.md5`** @@ -9026,7 +9015,7 @@ example: CN=myclient, OU=Documentation Team, DC=example, DC=com type: keyword -example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…"] +example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] **`tls.client.x509.alternative_names`** @@ -9046,7 +9035,7 @@ example: Example SHA2 High Assurance Server CA **`tls.client.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9152,7 +9141,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.client.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9168,7 +9157,7 @@ example: shared.global.example.net **`tls.client.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9236,7 +9225,7 @@ type: boolean **`tls.next_protocol`** -: String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case. +: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword @@ -9254,7 +9243,7 @@ type: boolean type: keyword -example: MII… +example: MII... **`tls.server.certificate_chain`** @@ -9262,7 +9251,7 @@ example: MII… type: keyword -example: ["MII…", "MII…"] +example: ["MII...", "MII..."] **`tls.server.hash.md5`** @@ -9346,7 +9335,7 @@ example: Example SHA2 High Assurance Server CA **`tls.server.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9452,7 +9441,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.server.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9468,7 +9457,7 @@ example: shared.global.example.net **`tls.server.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9561,8 +9550,7 @@ type: keyword example: 00f067aa0ba902b7 - -## url [_url_3] +## url [_url] URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -9593,7 +9581,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`url.full.text`** @@ -9605,7 +9593,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`url.original.text`** @@ -9641,7 +9629,7 @@ type: keyword **`url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -9665,7 +9653,7 @@ example: east **`url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9678,10 +9666,10 @@ example: co.uk type: keyword +## user [_user] -## user [_user_2] - -The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. **`user.changes.domain`** : Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. @@ -9696,7 +9684,7 @@ type: keyword **`user.changes.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9778,7 +9766,7 @@ type: keyword **`user.effective.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9848,7 +9836,7 @@ type: keyword **`user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9924,7 +9912,7 @@ type: keyword **`user.target.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9987,10 +9975,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## user_agent [_user_agent] -The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. **`user_agent.device.name`** : Name of the device. @@ -10069,7 +10057,7 @@ example: darwin **`user_agent.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -10092,10 +10080,12 @@ type: keyword example: 12.0 - ## vlan [_vlan] -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. **`vlan.id`** : VLAN ID as reported by the observer. @@ -10113,13 +10103,12 @@ type: keyword example: outside - ## vulnerability [_vulnerability] The vulnerability fields describe information about a vulnerability that is relevant to an event. **`vulnerability.category`** -: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array. +: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. type: keyword @@ -10127,7 +10116,7 @@ example: ["Firewall"] **`vulnerability.classification`** -: The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/)) +: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword @@ -10135,11 +10124,11 @@ example: CVSS **`vulnerability.description`** -: The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)) +: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword -example: In macOS before 2.12.6, there is a vulnerability in the RPC… +example: In macOS before 2.12.6, there is a vulnerability in the RPC... **`vulnerability.description.text`** @@ -10147,7 +10136,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC… **`vulnerability.enumeration`** -: The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/)) +: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword @@ -10155,7 +10144,7 @@ example: CVE **`vulnerability.id`** -: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id)) +: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] type: keyword @@ -10167,7 +10156,7 @@ example: CVE-2019-00001 type: keyword -example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111) +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 **`vulnerability.report_id`** @@ -10187,7 +10176,7 @@ example: Tenable **`vulnerability.score.base`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) type: float @@ -10195,7 +10184,7 @@ example: 5.5 **`vulnerability.score.environmental`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) type: float @@ -10203,13 +10192,13 @@ example: 5.5 **`vulnerability.score.temporal`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) type: float **`vulnerability.score.version`** -: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword @@ -10217,17 +10206,18 @@ example: 2.0 **`vulnerability.severity`** -: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword example: Critical - ## x509 [_x509] -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. **`x509.alternative_names`** : List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. @@ -10246,7 +10236,7 @@ example: Example SHA2 High Assurance Server CA **`x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -10352,7 +10342,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -10368,7 +10358,7 @@ example: shared.global.example.net **`x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword diff --git a/docs/reference/filebeat/exported-fields-elasticsearch.md b/docs/reference/filebeat/exported-fields-elasticsearch.md index e16a887cb1fb..16998e512f89 100644 --- a/docs/reference/filebeat/exported-fields-elasticsearch.md +++ b/docs/reference/filebeat/exported-fields-elasticsearch.md @@ -3,13 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-elasticsearch.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Elasticsearch fields [exported-fields-elasticsearch] elasticsearch Module - ## elasticsearch [_elasticsearch] + + **`elasticsearch.component`** : Elasticsearch component from where the log event originated @@ -129,7 +132,7 @@ type: keyword **`elasticsearch.audit.user.realm`** -: The user’s authentication realm, if authenticated +: The user's authentication realm, if authenticated type: keyword @@ -139,7 +142,7 @@ type: keyword type: keyword -example: [*kibana_admin*, *beats_admin*] +example: ['kibana_admin', 'beats_admin'] **`elasticsearch.audit.user.run_as.name`** @@ -173,7 +176,7 @@ example: {username=jacknich2} type: keyword -example: [*foo-2019.01.04*, *foo-2019.01.03*, *foo-2019.01.06*] +example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] **`elasticsearch.audit.request.id`** @@ -232,15 +235,14 @@ alias to: user.name : type: text - ## deprecation [_deprecation] + ## gc [_gc] GC fileset fields. - ## phase [_phase] Fields specific to GC phase. @@ -287,7 +289,6 @@ type: float type: float - ## cpu_time [_cpu_time] Process CPU time spent performing collections. @@ -334,7 +335,6 @@ type: float type: keyword - ## heap [_heap] Heap allocation and total size. @@ -351,7 +351,6 @@ type: integer type: integer - ## old_gen [_old_gen] Old generation occupancy and total size. @@ -368,7 +367,6 @@ type: integer type: integer - ## young_gen [_young_gen] Young generation occupancy and total size. @@ -385,8 +383,7 @@ type: integer type: integer - -## server [_server_2] +## server [_server] Server log file @@ -394,12 +391,10 @@ Server log file : Field is not indexed. - -## gc [_gc_2] +## gc [_gc] GC log - ## young [_young] Young GC @@ -407,13 +402,13 @@ Young GC **`elasticsearch.server.gc.young.one`** : type: long -example: +example: **`elasticsearch.server.gc.young.two`** : type: long -example: +example: **`elasticsearch.server.gc.overhead_seq`** @@ -440,7 +435,6 @@ type: float example: 1800 - ## slowlog [_slowlog] Slowlog events from Elasticsearch @@ -466,7 +460,7 @@ example: 300ms type: keyword -example: +example: **`elasticsearch.slowlog.stats`** @@ -498,7 +492,7 @@ example: {"query":{"match_all":{"boost":1.0}}} type: keyword -example: +example: **`elasticsearch.slowlog.total_hits`** @@ -530,7 +524,7 @@ example: s01HZ2QBk9jw4gtgaFtn type: keyword -example: +example: **`elasticsearch.slowlog.type`** diff --git a/docs/reference/filebeat/exported-fields-envoyproxy.md b/docs/reference/filebeat/exported-fields-envoyproxy.md index f3becb7610a4..9b46e1ced2ce 100644 --- a/docs/reference/filebeat/exported-fields-envoyproxy.md +++ b/docs/reference/filebeat/exported-fields-envoyproxy.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-envoyproxy.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Envoyproxy fields [exported-fields-envoyproxy] Module for handling logs produced by envoy - ## envoyproxy [_envoyproxy] Fields from envoy proxy logs after normalization diff --git a/docs/reference/filebeat/exported-fields-fortinet.md b/docs/reference/filebeat/exported-fields-fortinet.md index 6632cf7caa76..27ae75087194 100644 --- a/docs/reference/filebeat/exported-fields-fortinet.md +++ b/docs/reference/filebeat/exported-fields-fortinet.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-fortinet.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Fortinet fields [exported-fields-fortinet] fortinet Module - ## fortinet [_fortinet] Fields from fortinet FortiOS @@ -18,7 +19,6 @@ Fields from fortinet FortiOS type: keyword - ## firewall [_firewall] Module for parsing Fortinet syslog. diff --git a/docs/reference/filebeat/exported-fields-gcp.md b/docs/reference/filebeat/exported-fields-gcp.md index b5849d9e4c2c..7aa9ad9b4361 100644 --- a/docs/reference/filebeat/exported-fields-gcp.md +++ b/docs/reference/filebeat/exported-fields-gcp.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-gcp.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Google Cloud Platform (GCP) fields [exported-fields-gcp] Module for handling logs from Google Cloud. - ## gcp [_gcp] Fields from Google Cloud logs. - -## destination.instance [_destination_instance] +## destination.instance [_destination.instance] If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. @@ -35,8 +35,7 @@ type: keyword type: keyword - -## destination.vpc [_destination_vpc] +## destination.vpc [_destination.vpc] If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. @@ -58,8 +57,7 @@ type: keyword type: keyword - -## source.instance [_source_instance] +## source.instance [_source.instance] If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. @@ -81,8 +79,7 @@ type: keyword type: keyword - -## source.vpc [_source_vpc] +## source.vpc [_source.vpc] If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. @@ -104,8 +101,7 @@ type: keyword type: keyword - -## audit [_audit_3] +## audit [_audit] Fields for Google Cloud audit logs. @@ -115,7 +111,6 @@ Fields for Google Cloud audit logs. type: keyword - ## authentication_info [_authentication_info] Authentication information. @@ -139,7 +134,7 @@ type: array **`gcp.audit.method_name`** -: The name of the service method or operation. For API calls, this should be the name of the API method. For example, *google.datastore.v1.Datastore.RunQuery*. +: The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. type: keyword @@ -150,7 +145,6 @@ type: keyword type: long - ## request [_request] The operation request. @@ -179,7 +173,6 @@ type: keyword type: keyword - ## request_metadata [_request_metadata] Metadata about the request. @@ -196,7 +189,6 @@ type: ip type: keyword - ## response [_response] The operation response. @@ -207,7 +199,6 @@ The operation response. type: keyword - ## details [_details] The details of the response. @@ -243,12 +234,11 @@ type: keyword **`gcp.audit.resource_name`** -: The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, *shelves/SHELF_ID/books*. +: The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. type: keyword - ## resource_location [_resource_location] The location of the resource. @@ -265,7 +255,6 @@ type: keyword type: keyword - ## status [_status] The status of the overall operation. @@ -282,12 +271,10 @@ type: integer type: keyword - -## firewall [_firewall_2] +## firewall [_firewall] Fields for Google Cloud Firewall logs. - ## rule_details [_rule_details] Description of the firewall rule that matched this connection. @@ -358,13 +345,12 @@ type: keyword type: keyword - -## vpcflow [_vpcflow_2] +## vpcflow [_vpcflow] Fields for Google Cloud VPC flow logs. **`gcp.vpcflow.reporter`** -: The side which reported the flow. Can be either *SRC* or *DEST*. +: The side which reported the flow. Can be either 'SRC' or 'DEST'. type: keyword diff --git a/docs/reference/filebeat/exported-fields-google_workspace.md b/docs/reference/filebeat/exported-fields-google_workspace.md index 6fa5fefbd3f0..0dc4f37cb190 100644 --- a/docs/reference/filebeat/exported-fields-google_workspace.md +++ b/docs/reference/filebeat/exported-fields-google_workspace.md @@ -3,17 +3,19 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-google_workspace.html --- +% This file is generated! See scripts/generate_fields_docs.py + # google_workspace fields [exported-fields-google_workspace] Google Workspace Module - ## google_workspace [_google_workspace] -Google Workspace specific fields. More information about specific fields can be found at [https://developers.google.com/admin-sdk/reports/v1/reference/activities/list](https://developers.google.com/admin-sdk/reports/v1/reference/activities/list) +Google Workspace specific fields. +More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list **`google_workspace.actor.type`** -: The type of actor. Values can be: **USER**: Another user in the same domain. **EXTERNAL_USER**: A user outside the domain. **KEY**: A non-human actor. +: The type of actor. Values can be: *USER*: Another user in the same domain. *EXTERNAL_USER*: A user outside the domain. *KEY*: A non-human actor. type: keyword @@ -25,7 +27,7 @@ type: keyword **`google_workspace.event.type`** -: The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at [https://developers.google.com/admin-sdk/reports/v1/reference/activities/list](https://developers.google.com/admin-sdk/reports/v1/reference/activities/list) +: The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list type: keyword @@ -33,7 +35,7 @@ example: audit#activity **`google_workspace.kind`** -: The type of API resource, mapped from `kind` in the original payload. More details can be found at [https://developers.google.com/admin-sdk/reports/v1/reference/activities/list](https://developers.google.com/admin-sdk/reports/v1/reference/activities/list) +: The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list type: keyword @@ -41,7 +43,7 @@ example: audit#activity **`google_workspace.organization.domain`** -: The domain that is affected by the report’s event. +: The domain that is affected by the report's event. type: keyword @@ -53,7 +55,7 @@ type: keyword **`google_workspace.admin.application.name`** -: The application’s name. +: The application's name. type: keyword @@ -95,7 +97,7 @@ type: keyword **`google_workspace.admin.group.email`** -: The group’s primary email address. +: The group's primary email address. type: keyword @@ -173,7 +175,7 @@ type: keyword **`google_workspace.admin.non_featured_services_selection`** -: Non-featured services selection. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED) +: Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED type: keyword @@ -191,19 +193,19 @@ type: keyword **`google_workspace.admin.user.email`** -: The user’s primary email address. +: The user's primary email address. type: keyword **`google_workspace.admin.user.nickname`** -: The user’s nickname. +: The user's nickname. type: keyword **`google_workspace.admin.user.birthdate`** -: The user’s birth date. +: The user's birth date. type: date @@ -261,7 +263,7 @@ type: keyword **`google_workspace.admin.role.name`** -: The role name. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings) +: The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings type: keyword @@ -321,61 +323,61 @@ type: keyword **`google_workspace.admin.email.log_search_filter.message_id`** -: The log search filter’s email message ID. +: The log search filter's email message ID. type: keyword **`google_workspace.admin.email.log_search_filter.start_date`** -: The log search filter’s start date. +: The log search filter's start date. type: date **`google_workspace.admin.email.log_search_filter.end_date`** -: The log search filter’s ending date. +: The log search filter's ending date. type: date **`google_workspace.admin.email.log_search_filter.recipient.value`** -: The log search filter’s email recipient. +: The log search filter's email recipient. type: keyword **`google_workspace.admin.email.log_search_filter.sender.value`** -: The log search filter’s email sender. +: The log search filter's email sender. type: keyword **`google_workspace.admin.email.log_search_filter.recipient.ip`** -: The log search filter’s email recipient’s IP address. +: The log search filter's email recipient's IP address. type: ip **`google_workspace.admin.email.log_search_filter.sender.ip`** -: The log search filter’s email sender’s IP address. +: The log search filter's email sender's IP address. type: ip **`google_workspace.admin.chrome_licenses.enabled`** -: Licences enabled. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings) +: Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings type: keyword **`google_workspace.admin.chrome_licenses.allowed`** -: Licences enabled. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings) +: Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings type: keyword **`google_workspace.admin.oauth2.service.name`** -: OAuth2 service name. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings) +: OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings type: keyword @@ -393,13 +395,13 @@ type: keyword **`google_workspace.admin.oauth2.application.type`** -: OAuth2 application type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings) +: OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings type: keyword **`google_workspace.admin.verification_method`** -: Related verification method. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings) and [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings) +: Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings type: keyword @@ -435,13 +437,13 @@ type: keyword **`google_workspace.admin.mdm.vendor`** -: The MDM vendor’s name. +: The MDM vendor's name. type: keyword **`google_workspace.admin.info_type`** -: This will be used to state what kind of information was changed. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings) +: This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings type: keyword @@ -501,13 +503,13 @@ type: keyword **`google_workspace.admin.mobile.action.id`** -: The mobile device action’s ID. +: The mobile device action's ID. type: keyword **`google_workspace.admin.mobile.action.type`** -: The mobile device action’s type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings) +: The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings type: keyword @@ -525,13 +527,13 @@ type: long **`google_workspace.admin.distribution.entity.name`** -: The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings) +: The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings type: keyword **`google_workspace.admin.distribution.entity.type`** -: The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings) +: The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings type: keyword @@ -563,7 +565,7 @@ type: boolean **`google_workspace.drive.file.type`** -: Document Drive type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) +: Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword @@ -597,7 +599,7 @@ type: keyword **`google_workspace.drive.visibility`** -: Visibility of target file. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) +: Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword @@ -639,25 +641,25 @@ type: keyword **`google_workspace.drive.added_role`** -: Added membership role of a user/group in a Team Drive. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) +: Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword **`google_workspace.drive.membership_change_type`** -: Type of change in Team Drive membership of a user/group. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) +: Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword **`google_workspace.drive.shared_drive_settings_change_type`** -: Type of change in Team Drive settings. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) +: Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword **`google_workspace.drive.removed_role`** -: Removed membership role of a user/group in a Team Drive. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) +: Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword @@ -669,7 +671,7 @@ type: keyword **`google_workspace.groups.acl_permission`** -: Group permission setting updated. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) +: Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups type: keyword @@ -687,31 +689,31 @@ type: keyword **`google_workspace.groups.member.role`** -: Member role. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) +: Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups type: keyword **`google_workspace.groups.setting`** -: Group setting updated. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) +: Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups type: keyword **`google_workspace.groups.new_value`** -: New value(s) of the group setting. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) +: New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups type: keyword **`google_workspace.groups.old_value`** -: Old value(s) of the group setting. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) +: Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups type: keyword **`google_workspace.groups.value`** -: Value of the group setting. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) +: Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups type: keyword @@ -739,19 +741,19 @@ type: keyword **`google_workspace.login.challenge_method`** -: Login challenge method. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login). +: Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. type: keyword **`google_workspace.login.failure_type`** -: Login failure type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login). +: Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. type: keyword **`google_workspace.login.type`** -: Login credentials type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login). +: Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. type: keyword @@ -771,7 +773,7 @@ type: keyword **`google_workspace.saml.failure_type`** -: Login failure type. For a list of possible values refer to [https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml). +: Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. type: keyword diff --git a/docs/reference/filebeat/exported-fields-haproxy.md b/docs/reference/filebeat/exported-fields-haproxy.md index 1c52c481ad4b..93859bba9423 100644 --- a/docs/reference/filebeat/exported-fields-haproxy.md +++ b/docs/reference/filebeat/exported-fields-haproxy.md @@ -3,13 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-haproxy.html --- +% This file is generated! See scripts/generate_fields_docs.py + # HAProxy fields [exported-fields-haproxy] haproxy Module - ## haproxy [_haproxy] + + **`haproxy.frontend_name`** : Name of the frontend (or listener) which received and processed the connection. @@ -59,7 +62,7 @@ type: long **`haproxy.backend_queue`** -: Total number of requests which were processed before this one in the backend’s global queue. +: Total number of requests which were processed before this one in the backend's global queue. type: long @@ -90,7 +93,6 @@ type: keyword type: keyword - ## connections [_connections] Contains various counts of connections active in the process. @@ -125,8 +127,7 @@ type: long type: long - -## client [_client_2] +## client [_client] Information about the client doing the request @@ -154,8 +155,7 @@ alias to: process.name alias to: process.pid - -## destination [_destination_2] +## destination [_destination] Destination information @@ -171,7 +171,6 @@ alias to: destination.port alias to: destination.ip - ## geoip [_geoip] Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. @@ -212,13 +211,11 @@ alias to: source.geo.city_name alias to: source.geo.region_iso_code - -## http [_http_2] +## http [_http] Please add description - -## response [_response_2] +## response [_response] Fields related to the HTTP response @@ -238,8 +235,7 @@ type: keyword alias to: http.response.status_code - -## request [_request_2] +## request [_request] Fields related to the HTTP request @@ -271,7 +267,6 @@ type: long type: long - ## tcp [_tcp] TCP log format diff --git a/docs/reference/filebeat/exported-fields-host-processor.md b/docs/reference/filebeat/exported-fields-host-processor.md index f4eacbcc6060..fbc96041466a 100644 --- a/docs/reference/filebeat/exported-fields-host-processor.md +++ b/docs/reference/filebeat/exported-fields-host-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-host-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Host fields [exported-fields-host-processor] Info collected for the host machine. diff --git a/docs/reference/filebeat/exported-fields-ibmmq.md b/docs/reference/filebeat/exported-fields-ibmmq.md index c2e371fad7a8..5e8df8dfb8d1 100644 --- a/docs/reference/filebeat/exported-fields-ibmmq.md +++ b/docs/reference/filebeat/exported-fields-ibmmq.md @@ -3,14 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-ibmmq.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ibmmq fields [exported-fields-ibmmq] ibmmq Module - ## ibmmq [_ibmmq] + ## errorlog [_errorlog] IBM MQ error logs diff --git a/docs/reference/filebeat/exported-fields-icinga.md b/docs/reference/filebeat/exported-fields-icinga.md index 7d2c0a731e36..e5cfb4cd4e66 100644 --- a/docs/reference/filebeat/exported-fields-icinga.md +++ b/docs/reference/filebeat/exported-fields-icinga.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-icinga.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Icinga fields [exported-fields-icinga] Icinga Module - ## icinga [_icinga] -## debug [_debug_2] + +## debug [_debug] Contains fields for the Icinga debug logs. @@ -33,7 +35,6 @@ alias to: log.level alias to: message - ## main [_main] Contains fields for the Icinga main logs. @@ -56,7 +57,6 @@ alias to: log.level alias to: message - ## startup [_startup] Contains fields for the Icinga startup logs. diff --git a/docs/reference/filebeat/exported-fields-iis.md b/docs/reference/filebeat/exported-fields-iis.md index 759ecb8d7de8..2f0ce28efbde 100644 --- a/docs/reference/filebeat/exported-fields-iis.md +++ b/docs/reference/filebeat/exported-fields-iis.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-iis.html --- +% This file is generated! See scripts/generate_fields_docs.py + # IIS fields [exported-fields-iis] Module for parsing IIS log files. - ## iis [_iis] Fields from IIS log files. - -## access [_access_2] +## access [_access] Contains fields for IIS access logs. @@ -191,8 +191,7 @@ alias to: source.geo.city_name alias to: source.geo.region_iso_code - -## error [_error_3] +## error [_error] Contains fields for IIS error logs. diff --git a/docs/reference/filebeat/exported-fields-iptables.md b/docs/reference/filebeat/exported-fields-iptables.md index ccce9163ad4f..ec1c405a61ab 100644 --- a/docs/reference/filebeat/exported-fields-iptables.md +++ b/docs/reference/filebeat/exported-fields-iptables.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-iptables.html --- +% This file is generated! See scripts/generate_fields_docs.py + # iptables fields [exported-fields-iptables] Module for handling the iptables logs. - ## iptables [_iptables] Fields from the iptables logs. @@ -36,7 +37,6 @@ type: keyword type: long - ## icmp [_icmp] ICMP fields. @@ -119,8 +119,7 @@ type: long type: keyword - -## tcp [_tcp_2] +## tcp [_tcp] TCP fields. @@ -160,7 +159,6 @@ type: long type: integer - ## udp [_udp] UDP fields. @@ -171,7 +169,6 @@ UDP fields. type: long - ## ubiquiti [_ubiquiti] Fields for Ubiquiti network devices. diff --git a/docs/reference/filebeat/exported-fields-jolokia-autodiscover.md b/docs/reference/filebeat/exported-fields-jolokia-autodiscover.md index b9023a51b82c..1ec9aa668a7b 100644 --- a/docs/reference/filebeat/exported-fields-jolokia-autodiscover.md +++ b/docs/reference/filebeat/exported-fields-jolokia-autodiscover.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-jolokia-autodiscover.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover] Metadata from Jolokia Discovery added by the jolokia provider. @@ -26,7 +28,7 @@ type: keyword **`jolokia.server.version`** -: The container’s version (if detected). +: The container's version (if detected). type: keyword diff --git a/docs/reference/filebeat/exported-fields-juniper.md b/docs/reference/filebeat/exported-fields-juniper.md index 762004b9d07f..ba93170240e9 100644 --- a/docs/reference/filebeat/exported-fields-juniper.md +++ b/docs/reference/filebeat/exported-fields-juniper.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-juniper.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Juniper JUNOS fields [exported-fields-juniper] juniper fields. - -## juniper.srx [_juniper_srx] +## juniper.srx [_juniper.srx] Module for parsing junipersrx syslog. diff --git a/docs/reference/filebeat/exported-fields-kafka.md b/docs/reference/filebeat/exported-fields-kafka.md index 8e8c9b6df493..6c917e1d3fb7 100644 --- a/docs/reference/filebeat/exported-fields-kafka.md +++ b/docs/reference/filebeat/exported-fields-kafka.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-kafka.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kafka fields [exported-fields-kafka] Kafka module - ## kafka [_kafka] -## log [_log_5] + +## log [_log] Kafka log lines. @@ -33,7 +35,6 @@ type: keyword type: keyword - ## trace [_trace] Trace in the log line. diff --git a/docs/reference/filebeat/exported-fields-kibana.md b/docs/reference/filebeat/exported-fields-kibana.md index 05205fb07b21..af146ad6da62 100644 --- a/docs/reference/filebeat/exported-fields-kibana.md +++ b/docs/reference/filebeat/exported-fields-kibana.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-kibana.html --- +% This file is generated! See scripts/generate_fields_docs.py + # kibana fields [exported-fields-kibana] kibana Module @@ -11,7 +13,6 @@ kibana Module : type: keyword - ## kibana [_kibana] Module for parsing Kibana logs. @@ -61,7 +62,7 @@ example: my-saved-object type: keyword -example: [*default*, *marketing*] +example: ['default', 'marketing'] **`kibana.delete_from_spaces`** @@ -69,7 +70,7 @@ example: [*default*, *marketing*] type: keyword -example: [*default*, *marketing*] +example: ['default', 'marketing'] **`kibana.authentication_provider`** @@ -104,8 +105,7 @@ type: keyword example: native - -## log [_log_6] +## log [_log] Kibana log lines. diff --git a/docs/reference/filebeat/exported-fields-kubernetes-processor.md b/docs/reference/filebeat/exported-fields-kubernetes-processor.md index 8d8f2d6e83a1..a6b6b8834e0e 100644 --- a/docs/reference/filebeat/exported-fields-kubernetes-processor.md +++ b/docs/reference/filebeat/exported-fields-kubernetes-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-kubernetes-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kubernetes fields [exported-fields-kubernetes-processor] Kubernetes metadata added by the kubernetes processor diff --git a/docs/reference/filebeat/exported-fields-log.md b/docs/reference/filebeat/exported-fields-log.md index e2e0908ddacc..f1b6dc4f38f8 100644 --- a/docs/reference/filebeat/exported-fields-log.md +++ b/docs/reference/filebeat/exported-fields-log.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-log.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Log file content fields [exported-fields-log] Contains log file lines. @@ -24,7 +26,7 @@ required: False **`stream`** -: Log stream when reading container logs, can be *stdout* or *stderr* +: Log stream when reading container logs, can be 'stdout' or 'stderr' type: keyword @@ -110,7 +112,7 @@ alias to: event.created **`docker.attrs`** -: docker.attrs contains labels and environment variables written by docker’s JSON File logging driver. These fields are only available when they are configured in the logging driver options. +: docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options. type: object diff --git a/docs/reference/filebeat/exported-fields-logstash.md b/docs/reference/filebeat/exported-fields-logstash.md index 29436edad0a7..93964e94a301 100644 --- a/docs/reference/filebeat/exported-fields-logstash.md +++ b/docs/reference/filebeat/exported-fields-logstash.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-logstash.html --- +% This file is generated! See scripts/generate_fields_docs.py + # logstash fields [exported-fields-logstash] logstash Module - ## logstash [_logstash] -## log [_log_7] + +## log [_log] Fields from the Logstash logs. @@ -61,8 +63,7 @@ alias to: message alias to: log.level - -## slowlog [_slowlog_2] +## slowlog [_slowlog] slowlog @@ -121,7 +122,7 @@ type: keyword **`logstash.slowlog.plugin_params_object`** -: key → value of the configuration used by the plugin. +: key -> value of the configuration used by the plugin. type: object diff --git a/docs/reference/filebeat/exported-fields-lumberjack.md b/docs/reference/filebeat/exported-fields-lumberjack.md index d8614d9d91a0..431f3c34026a 100644 --- a/docs/reference/filebeat/exported-fields-lumberjack.md +++ b/docs/reference/filebeat/exported-fields-lumberjack.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-lumberjack.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Lumberjack fields [exported-fields-lumberjack] Fields from Lumberjack input. diff --git a/docs/reference/filebeat/exported-fields-microsoft.md b/docs/reference/filebeat/exported-fields-microsoft.md index 66ffb0c8ebc9..d8a4a970c8e9 100644 --- a/docs/reference/filebeat/exported-fields-microsoft.md +++ b/docs/reference/filebeat/exported-fields-microsoft.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-microsoft.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Microsoft fields [exported-fields-microsoft] Microsoft Module - -## microsoft.defender_atp [_microsoft_defender_atp] +## microsoft.defender_atp [_microsoft.defender_atp] Module for ingesting Microsoft Defender ATP. @@ -19,7 +20,7 @@ type: date **`microsoft.defender_atp.resolvedTime`** -: The date and time in which the status of the alert was changed to *Resolved*. +: The date and time in which the status of the alert was changed to 'Resolved'. type: date @@ -49,19 +50,19 @@ type: keyword **`microsoft.defender_atp.status`** -: Specifies the current status of the alert. Possible values are: *Unknown*, *New*, *InProgress* and *Resolved*. +: Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. type: keyword **`microsoft.defender_atp.classification`** -: Specification of the alert. Possible values are: *Unknown*, *FalsePositive*, *TruePositive*. +: Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. type: keyword **`microsoft.defender_atp.determination`** -: Specifies the determination of the alert. Possible values are: *NotAvailable*, *Apt*, *Malware*, *SecurityPersonnel*, *SecurityTesting*, *UnwantedSoftware*, *Other*. +: Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. type: keyword @@ -114,8 +115,7 @@ type: keyword type: keyword - -## microsoft.m365_defender [_microsoft_m365_defender] +## microsoft.m365_defender [_microsoft.m365_defender] Module for ingesting Microsoft Defender ATP. @@ -162,13 +162,13 @@ type: keyword **`microsoft.m365_defender.status`** -: Specifies the current status of the alert. Possible values are: *Unknown*, *New*, *InProgress* and *Resolved*. +: Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. type: keyword **`microsoft.m365_defender.classification`** -: Specification of the alert. Possible values are: *Unknown*, *FalsePositive*, *TruePositive*. +: Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. type: keyword @@ -234,7 +234,7 @@ type: keyword **`microsoft.m365_defender.alerts.investigationState`** -: Information on the investigation’s current status. +: Information on the investigation's current status. type: keyword diff --git a/docs/reference/filebeat/exported-fields-misp.md b/docs/reference/filebeat/exported-fields-misp.md index bd784f759931..e13be4e55127 100644 --- a/docs/reference/filebeat/exported-fields-misp.md +++ b/docs/reference/filebeat/exported-fields-misp.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-misp.html --- +% This file is generated! See scripts/generate_fields_docs.py + # MISP fields [exported-fields-misp] Module for handling threat information from MISP. - ## misp [_misp] Fields from MISP threat information. - ## attack_pattern [_attack_pattern] Fields provide support for specifying information about attack patterns. @@ -41,7 +41,6 @@ type: text type: keyword - ## campaign [_campaign] Fields provide support for specifying information about campaigns. @@ -83,12 +82,11 @@ type: date **`misp.campaign.objective`** -: This field defines the Campaign’s primary goal, objective, desired outcome, or intended effect. +: This field defines the Campaign's primary goal, objective, desired outcome, or intended effect. type: keyword - ## course_of_action [_course_of_action] A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. @@ -111,8 +109,7 @@ type: keyword type: text - -## identity [_identity_2] +## identity [_identity] Identity can represent actual individuals, organizations, or groups, as well as classes of individuals, organizations, or groups. @@ -148,6 +145,7 @@ type: keyword example: CEO + **`misp.identity.sectors`** : The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov @@ -160,7 +158,6 @@ type: keyword type: text - ## intrusion_set [_intrusion_set] An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization. @@ -225,10 +222,9 @@ type: text type: text - ## malware [_malware] -Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. +Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. **`misp.malware.id`** : Identifier of the Malware. @@ -262,7 +258,6 @@ type: keyword format: string - ## note [_note] A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object. @@ -297,7 +292,6 @@ type: keyword type: keyword - ## threat_indicator [_threat_indicator] Fields provide support for specifying information about threat indicators, and related matching patterns. @@ -310,6 +304,7 @@ type: keyword example: Domain Watchlist + **`misp.threat_indicator.id`** : Identifier of the threat indicator. @@ -403,7 +398,8 @@ format: string type: keyword -example: [destination:ip = *91.219.29.188/32*] +example: [destination:ip = '91.219.29.188/32'] + **`misp.threat_indicator.attack_pattern_kql`** @@ -414,6 +410,7 @@ type: keyword example: destination.ip: "91.219.29.188/32" + **`misp.threat_indicator.negate`** : When set to true, it specifies the absence of the attack_pattern. @@ -438,7 +435,6 @@ type: keyword type: keyword - ## observed_data [_observed_data] Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification. @@ -473,7 +469,6 @@ type: integer type: keyword - ## report [_report] Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. @@ -514,7 +509,6 @@ type: date type: text - ## threat_actor [_threat_actor] Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. @@ -591,7 +585,6 @@ type: text type: text - ## tool [_tool] Tools are legitimate software that can be used by threat actors to perform attacks. @@ -632,8 +625,7 @@ type: keyword type: text - -## vulnerability [_vulnerability_2] +## vulnerability [_vulnerability] A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. diff --git a/docs/reference/filebeat/exported-fields-mongodb.md b/docs/reference/filebeat/exported-fields-mongodb.md index ece3e38488d0..c2d6cfb5500a 100644 --- a/docs/reference/filebeat/exported-fields-mongodb.md +++ b/docs/reference/filebeat/exported-fields-mongodb.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-mongodb.html --- +% This file is generated! See scripts/generate_fields_docs.py + # mongodb fields [exported-fields-mongodb] Module for parsing MongoDB log files. - ## mongodb [_mongodb] Fields from MongoDB logs. - -## log [_log_8] +## log [_log] Contains fields from MongoDB logs. diff --git a/docs/reference/filebeat/exported-fields-mssql.md b/docs/reference/filebeat/exported-fields-mssql.md index 6067d30ea6ea..0cda6383862e 100644 --- a/docs/reference/filebeat/exported-fields-mssql.md +++ b/docs/reference/filebeat/exported-fields-mssql.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-mssql.html --- +% This file is generated! See scripts/generate_fields_docs.py + # mssql fields [exported-fields-mssql] MS SQL Filebeat Module - ## mssql [_mssql] Fields from the MSSQL log files - -## log [_log_9] +## log [_log] Common log fields diff --git a/docs/reference/filebeat/exported-fields-mysql.md b/docs/reference/filebeat/exported-fields-mysql.md index 8e07439ba140..99d0d3b5e803 100644 --- a/docs/reference/filebeat/exported-fields-mysql.md +++ b/docs/reference/filebeat/exported-fields-mysql.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-mysql.html --- +% This file is generated! See scripts/generate_fields_docs.py + # MySQL fields [exported-fields-mysql] Module for parsing the MySQL log files. - ## mysql [_mysql] Fields from the MySQL log files. @@ -18,8 +19,7 @@ Fields from the MySQL log files. type: long - -## error [_error_4] +## error [_error] Contains fields from the MySQL error logs. @@ -41,8 +41,7 @@ alias to: log.level alias to: message - -## slowlog [_slowlog_3] +## slowlog [_slowlog] Contains fields from the MySQL slow logs. @@ -272,7 +271,6 @@ type: long type: long - ## innodb [_innodb] Contains fields relative to InnoDB engine diff --git a/docs/reference/filebeat/exported-fields-mysqlenterprise.md b/docs/reference/filebeat/exported-fields-mysqlenterprise.md index 1dd60c46621b..531a79b9258f 100644 --- a/docs/reference/filebeat/exported-fields-mysqlenterprise.md +++ b/docs/reference/filebeat/exported-fields-mysqlenterprise.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-mysqlenterprise.html --- +% This file is generated! See scripts/generate_fields_docs.py + # MySQL Enterprise fields [exported-fields-mysqlenterprise] MySQL Enterprise Audit module - ## mysqlenterprise [_mysqlenterprise] Fields from MySQL Enterprise Logs - -## audit [_audit_4] +## audit [_audit] Module for parsing MySQL Enterprise Audit Logs diff --git a/docs/reference/filebeat/exported-fields-nats.md b/docs/reference/filebeat/exported-fields-nats.md index 2f481ec670d2..09f46aa5bc3c 100644 --- a/docs/reference/filebeat/exported-fields-nats.md +++ b/docs/reference/filebeat/exported-fields-nats.md @@ -3,22 +3,21 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-nats.html --- +% This file is generated! See scripts/generate_fields_docs.py + # NATS fields [exported-fields-nats] Module for parsing NATS log files. - ## nats [_nats] Fields from NATS logs. - -## log [_log_10] +## log [_log] Nats log files - -## client [_client_3] +## client [_client] Fields from NATS logs client. @@ -28,7 +27,6 @@ Fields from NATS logs client. type: integer - ## msg [_msg] Fields from NATS logs message. diff --git a/docs/reference/filebeat/exported-fields-netflow.md b/docs/reference/filebeat/exported-fields-netflow.md index 4c598bbe2ce0..2b73d865dd3e 100644 --- a/docs/reference/filebeat/exported-fields-netflow.md +++ b/docs/reference/filebeat/exported-fields-netflow.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html --- +% This file is generated! See scripts/generate_fields_docs.py + # NetFlow fields [exported-fields-netflow] Fields from NetFlow and IPFIX flows. - ## netflow [_netflow] Fields from NetFlow and IPFIX. @@ -18,13 +19,12 @@ Fields from NetFlow and IPFIX. type: keyword - ## exporter [_exporter] Metadata related to the exporter device that generated this record. **`netflow.exporter.address`** -: Exporter’s network address in IP:port format. +: Exporter's network address in IP:port format. type: keyword diff --git a/docs/reference/filebeat/exported-fields-nginx.md b/docs/reference/filebeat/exported-fields-nginx.md index 02f15d819bcb..dd76f389cac1 100644 --- a/docs/reference/filebeat/exported-fields-nginx.md +++ b/docs/reference/filebeat/exported-fields-nginx.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-nginx.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Nginx fields [exported-fields-nginx] Module for parsing the Nginx log files. - ## nginx [_nginx] Fields from the Nginx log files. - -## access [_access_3] +## access [_access] Contains fields for the Nginx access logs. @@ -137,8 +137,7 @@ alias to: source.geo.city_name alias to: source.geo.region_iso_code - -## error [_error_5] +## error [_error] Contains fields for the Nginx error logs. @@ -172,7 +171,6 @@ alias to: process.thread.id alias to: message - ## ingress_controller [_ingress_controller] Contains fields for the Ingress Nginx controller access logs. diff --git a/docs/reference/filebeat/exported-fields-o365.md b/docs/reference/filebeat/exported-fields-o365.md index 68ece7e933a0..a554f417d98c 100644 --- a/docs/reference/filebeat/exported-fields-o365.md +++ b/docs/reference/filebeat/exported-fields-o365.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Office 365 fields [exported-fields-o365] Module for handling logs from Office 365. - -## o365.audit [_o365_audit] +## o365.audit [_o365.audit] Fields from Office 365 Management API audit logs. diff --git a/docs/reference/filebeat/exported-fields-okta.md b/docs/reference/filebeat/exported-fields-okta.md index 7090ece760ff..b6770ebc182f 100644 --- a/docs/reference/filebeat/exported-fields-okta.md +++ b/docs/reference/filebeat/exported-fields-okta.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-okta.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Okta fields [exported-fields-okta] Module for handling system logs from Okta. - ## okta [_okta] Fields from Okta. @@ -42,7 +43,6 @@ type: keyword type: keyword - ## actor [_actor] Fields that let you store information of the actor for the LogEvent. @@ -71,8 +71,7 @@ type: keyword type: keyword - -## client [_client_4] +## client [_client] Fields that let you store information about the client of the actor. @@ -82,8 +81,7 @@ Fields that let you store information about the client of the actor. type: ip - -## user_agent [_user_agent_2] +## user_agent [_user_agent] Fields about the user agent information of the client. @@ -123,7 +121,6 @@ type: keyword type: keyword - ## outcome [_outcome] Fields that let you store information about the outcome. @@ -146,7 +143,6 @@ type: keyword type: flattened - ## transaction [_transaction] Fields that let you store information about related transaction. @@ -163,12 +159,10 @@ type: keyword type: keyword - ## debug_context [_debug_context] Fields that let you store information about the debug context. - ## debug_data [_debug_data] The debug data. @@ -233,7 +227,6 @@ type: keyword type: flattened - ## suspicious_activity [_suspicious_activity] The suspicious activity fields from the debug data. @@ -310,7 +303,6 @@ type: keyword type: date - ## authentication_context [_authentication_context] Fields that let you store information about authentication context. @@ -357,13 +349,11 @@ type: keyword type: keyword - ## security_context [_security_context] Fields that let you store information about security context. - -## as [_as_2] +## as [_as] The autonomous system. @@ -373,8 +363,7 @@ The autonomous system. type: integer - -## organization [_organization_2] +## organization [_organization] The organization that owns the AS number. @@ -402,8 +391,7 @@ type: keyword type: boolean - -## request [_request_3] +## request [_request] Fields that let you store information about the request, in the form of list of ip_chain. diff --git a/docs/reference/filebeat/exported-fields-oracle.md b/docs/reference/filebeat/exported-fields-oracle.md index 75be1b689d89..8c778afb8772 100644 --- a/docs/reference/filebeat/exported-fields-oracle.md +++ b/docs/reference/filebeat/exported-fields-oracle.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-oracle.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Oracle fields [exported-fields-oracle] Oracle Module - ## oracle [_oracle] Fields from Oracle logs. - ## database_audit [_database_audit] Module for parsing Oracle Database audit logs @@ -72,7 +72,7 @@ type: keyword **`oracle.database_audit.entryid`** -: Numeric ID for each audit trail entry in the session. The entry ID is an index of a session’s audit entries that starts at 1 and increases to the number of entries that are written. +: Numeric ID for each audit trail entry in the session. The entry ID is an index of a session's audit entries that starts at 1 and increases to the number of entries that are written. type: integer @@ -90,7 +90,7 @@ type: keyword **`oracle.database_audit.terminal`** -: Identifier of the user’s terminal. +: Identifier of the user's terminal. type: text diff --git a/docs/reference/filebeat/exported-fields-osquery.md b/docs/reference/filebeat/exported-fields-osquery.md index 0c70abd6d254..67435e82efd2 100644 --- a/docs/reference/filebeat/exported-fields-osquery.md +++ b/docs/reference/filebeat/exported-fields-osquery.md @@ -3,14 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-osquery.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Osquery fields [exported-fields-osquery] Fields exported by the `osquery` module - ## osquery [_osquery] + ## result [_result] Common fields exported by the result metricset. diff --git a/docs/reference/filebeat/exported-fields-panw.md b/docs/reference/filebeat/exported-fields-panw.md index b94cf8086a92..ea6113c84d90 100644 --- a/docs/reference/filebeat/exported-fields-panw.md +++ b/docs/reference/filebeat/exported-fields-panw.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-panw.html --- +% This file is generated! See scripts/generate_fields_docs.py + # panw fields [exported-fields-panw] Module for Palo Alto Networks (PAN-OS) - ## panw [_panw] Fields from the panw module. - ## panos [_panos] Fields for the Palo Alto Networks PAN-OS logs. @@ -23,8 +23,7 @@ Fields for the Palo Alto Networks PAN-OS logs. type: keyword - -## source [_source_3] +## source [_source] Fields to extend the top-level source object. @@ -40,7 +39,6 @@ type: keyword type: keyword - ## nat [_nat] Post-NAT source address, if source NAT is performed. @@ -57,8 +55,7 @@ type: ip type: long - -## destination [_destination_3] +## destination [_destination] Fields to extend the top-level destination object. @@ -74,8 +71,7 @@ type: keyword type: keyword - -## nat [_nat_2] +## nat [_nat] Post-NAT destination address, if destination NAT is performed. @@ -97,8 +93,7 @@ type: long type: keyword - -## network [_network_2] +## network [_network] Fields to extend the top-level network object. @@ -114,8 +109,7 @@ type: keyword type: keyword - -## file [_file_3] +## file [_file] Fields to extend the top-level file object. @@ -125,13 +119,12 @@ Fields to extend the top-level file object. type: keyword - -## url [_url_4] +## url [_url] Fields to extend the top-level url object. **`panw.panos.url.category`** -: For threat URLs, it’s the URL category. For WildFire, the verdict on the file and is either *malicious*, *grayware*, or *benign*. +: For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. type: keyword @@ -292,7 +285,6 @@ type: date type: keyword - ## device_group_hierarchy [_device_group_hierarchy] A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. diff --git a/docs/reference/filebeat/exported-fields-pensando.md b/docs/reference/filebeat/exported-fields-pensando.md index 2e24579f8f07..e5c68f86a43e 100644 --- a/docs/reference/filebeat/exported-fields-pensando.md +++ b/docs/reference/filebeat/exported-fields-pensando.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-pensando.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Pensando fields [exported-fields-pensando] pensando Module - ## pensando [_pensando] Fields from Pensando logs. - ## dfw [_dfw] Fields for Pensando DFW diff --git a/docs/reference/filebeat/exported-fields-postgresql.md b/docs/reference/filebeat/exported-fields-postgresql.md index 99e666125078..b3c15cb1fff4 100644 --- a/docs/reference/filebeat/exported-fields-postgresql.md +++ b/docs/reference/filebeat/exported-fields-postgresql.md @@ -3,34 +3,30 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-postgresql.html --- +% This file is generated! See scripts/generate_fields_docs.py + # PostgreSQL fields [exported-fields-postgresql] Module for parsing the PostgreSQL log files. - ## postgresql [_postgresql] Fields from PostgreSQL logs. - -## log [_log_11] +## log [_log] Fields from the PostgreSQL log files. **`postgresql.log.timestamp`** -: :::{admonition} Deprecated in 7.3.0 - The `postgresql.log.timestamp` field was deprecated in 7.3.0. - ::: +: The timestamp from the log line. -The timestamp from the log line. +{applies_to}`product: deprecated 7.3.0` **`postgresql.log.core_id`** -: :::{admonition} Deprecated in 8.0.0 - The `postgresql.log.core_id` field was deprecated in 8.0.0. - ::: +: Core id. (deprecated, there is no core_id in PostgreSQL logs, this is actually session_line_number). -Core id. (deprecated, there is no core_id in PostgreSQL logs, this is actually session_line_number). +{applies_to}`product: deprecated 8.0.0` type: alias @@ -86,7 +82,7 @@ example: pdo_stmt_00000001 **`postgresql.log.command_tag`** -: Type of session’s current command. The complete list can be found at: src/include/tcop/cmdtaglist.h +: Type of session's current command. The complete list can be found at: src/include/tcop/cmdtaglist.h example: SELECT @@ -108,13 +104,13 @@ type: long **`postgresql.log.sql_state_code`** -: State code returned by Postgres (if any). See also [https://www.postgresql.org/docs/current/errcodes-appendix.html](https://www.postgresql.org/docs/current/errcodes-appendix.html) +: State code returned by Postgres (if any). See also https://www.postgresql.org/docs/current/errcodes-appendix.html type: keyword **`postgresql.log.detail`** -: More information about the message, parameters in case of a parametrized query. e.g. *Role \"user\" does not exist.*, *parameters: $1 = 42*, etc. +: More information about the message, parameters in case of a parametrized query. e.g. 'Role \"user\" does not exist.', 'parameters: $1 = 42', etc. **`postgresql.log.hint`** @@ -156,11 +152,9 @@ example: client backend **`postgresql.log.error.code`** -: :::{admonition} Deprecated in 8.0.0 - The `postgresql.log.error.code` field was deprecated in 8.0.0. - ::: +: Error code returned by Postgres (if any). Deprecated: errors can have letters. Use sql_state_code instead. -Error code returned by Postgres (if any). Deprecated: errors can have letters. Use sql_state_code instead. +{applies_to}`product: deprecated 8.0.0` type: alias diff --git a/docs/reference/filebeat/exported-fields-process.md b/docs/reference/filebeat/exported-fields-process.md index 1376d72752fb..9215f3c737c3 100644 --- a/docs/reference/filebeat/exported-fields-process.md +++ b/docs/reference/filebeat/exported-fields-process.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-process.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Process fields [exported-fields-process] Process metadata fields @@ -13,7 +15,6 @@ Process metadata fields alias to: process.executable - ## owner [_owner] Process owner information. diff --git a/docs/reference/filebeat/exported-fields-rabbitmq.md b/docs/reference/filebeat/exported-fields-rabbitmq.md index 56e221758b16..76a059aaf9eb 100644 --- a/docs/reference/filebeat/exported-fields-rabbitmq.md +++ b/docs/reference/filebeat/exported-fields-rabbitmq.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-rabbitmq.html --- +% This file is generated! See scripts/generate_fields_docs.py + # RabbitMQ fields [exported-fields-rabbitmq] RabbitMQ Module - ## rabbitmq [_rabbitmq] -## log [_log_12] + +## log [_log] RabbitMQ log files diff --git a/docs/reference/filebeat/exported-fields-redis.md b/docs/reference/filebeat/exported-fields-redis.md index d49af843cd32..8d9e60b1889c 100644 --- a/docs/reference/filebeat/exported-fields-redis.md +++ b/docs/reference/filebeat/exported-fields-redis.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-redis.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Redis fields [exported-fields-redis] Redis Module - ## redis [_redis] -## log [_log_13] + +## log [_log] Redis log files @@ -39,8 +41,7 @@ alias to: log.level alias to: message - -## slowlog [_slowlog_4] +## slowlog [_slowlog] Slow logs are retrieved from Redis via a network connection. diff --git a/docs/reference/filebeat/exported-fields-s3.md b/docs/reference/filebeat/exported-fields-s3.md index 32a4982df101..9234a0c502b4 100644 --- a/docs/reference/filebeat/exported-fields-s3.md +++ b/docs/reference/filebeat/exported-fields-s3.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-s3.html --- +% This file is generated! See scripts/generate_fields_docs.py + # s3 fields [exported-fields-s3] S3 fields from s3 input. diff --git a/docs/reference/filebeat/exported-fields-salesforce.md b/docs/reference/filebeat/exported-fields-salesforce.md index d2962a345b95..ee477cb6395b 100644 --- a/docs/reference/filebeat/exported-fields-salesforce.md +++ b/docs/reference/filebeat/exported-fields-salesforce.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-salesforce.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Salesforce fields [exported-fields-salesforce] Salesforce Module - ## salesforce [_salesforce] Fileset for ingesting Salesforce Apex logs. @@ -18,7 +19,6 @@ Fileset for ingesting Salesforce Apex logs. type: keyword - ## apex [_apex] Fileset for ingesting Salesforce Apex logs. @@ -48,7 +48,7 @@ type: keyword **`salesforce.apex.client_name`** -: The name of the client that’s using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didn’t specify a client in the CallOptions header. +: The name of the client that's using Salesforce services. This field is an optional parameter that can be passed in API calls. If blank, the caller didn't specify a client in the CallOptions header. type: keyword @@ -120,7 +120,7 @@ type: keyword **`salesforce.apex.is_long_running_request`** -: Indicates whether the request is counted against your org’s concurrent long-running Apex request limit (true) or not (false). +: Indicates whether the request is counted against your org's concurrent long-running Apex request limit (true) or not (false). type: keyword @@ -132,13 +132,13 @@ type: long **`salesforce.apex.limit_usage_pct`** -: The percentage of Apex SOAP calls that were made against the organization’s limit. +: The percentage of Apex SOAP calls that were made against the organization's limit. type: float **`salesforce.apex.login_key`** -: The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. +: The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. type: keyword @@ -216,7 +216,7 @@ type: keyword **`salesforce.apex.rows_total`** -: Total number of records in the result set. The value is always -1 if the custom adapter’s DataSource.Provider class doesn’t declare the QUERY_TOTAL_SIZE capability. +: Total number of records in the result set. The value is always -1 if the custom adapter's DataSource.Provider class doesn't declare the QUERY_TOTAL_SIZE capability. type: long @@ -282,13 +282,13 @@ type: keyword **`salesforce.apex.uri`** -: The URI of the page that’s receiving the request. +: The URI of the page that's receiving the request. type: keyword **`salesforce.apex.uri_derived_id`** -: The 18-character case-safe ID of the URI of the page that’s receiving the request. +: The 18-character case-safe ID of the URI of the page that's receiving the request. type: keyword @@ -300,13 +300,12 @@ type: keyword **`salesforce.apex.user_id_derived`** -: The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API. +: The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API. type: keyword - -## salesforce.login [_salesforce_login] +## salesforce.login [_salesforce.login] Fileset for ingesting Salesforce Login (REST) logs. @@ -329,7 +328,7 @@ type: keyword **`salesforce.login.api.version`** -: The version of the Salesforce API that’s being used. +: The version of the Salesforce API that's being used. type: keyword @@ -353,19 +352,19 @@ type: text **`salesforce.login.session.key`** -: The user’s unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For LoginEvent, this field is often null because the event is captured before a session is created. For example, vMASKIU6AxEr+Op5. This field is available in API version 46.0 and later. +: The user's unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For LoginEvent, this field is often null because the event is captured before a session is created. For example, vMASKIU6AxEr+Op5. This field is available in API version 46.0 and later. type: keyword **`salesforce.login.key`** -: The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. +: The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. type: keyword **`salesforce.login.history_id`** -: Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and other objects, making it easier to trace events back to a user’s original authentication. +: Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and other objects, making it easier to trace events back to a user's original authentication. type: keyword @@ -377,13 +376,13 @@ type: keyword **`salesforce.login.geo_id`** -: The Salesforce ID of the LoginGeo object associated with the login user’s IP address. +: The Salesforce ID of the LoginGeo object associated with the login user's IP address. type: keyword **`salesforce.login.additional_info`** -: JSON serialization of additional information that’s captured from the HTTP headers during a login request. +: JSON serialization of additional information that's captured from the HTTP headers during a login request. type: text @@ -395,7 +394,7 @@ type: keyword **`salesforce.login.client_ip`** -: The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”. +: The IP address of the client that's using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as “Salesforce.com IP”. type: keyword @@ -407,7 +406,7 @@ type: long **`salesforce.login.db_time_total`** -: The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB’s CPU time. Compare this field to cpu_time to determine whether performance issues are occurring in the database layer or in your own code. +: The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB's CPU time. Compare this field to cpu_time to determine whether performance issues are occurring in the database layer or in your own code. type: double @@ -443,13 +442,13 @@ type: long **`salesforce.login.user_id`** -: The 15-character ID of the user who’s using Salesforce services through the UI or the API. +: The 15-character ID of the user who's using Salesforce services through the UI or the API. type: keyword **`salesforce.login.uri_id_derived`** -: The 18-character case insensitive ID of the URI of the page that’s receiving the request. +: The 18-character case insensitive ID of the URI of the page that's receiving the request. type: keyword @@ -466,8 +465,7 @@ type: float type: keyword - -## salesforce.logout [_salesforce_logout] +## salesforce.logout [_salesforce.logout] Fileset for parsing Salesforce Logout (REST) logs. @@ -478,7 +476,7 @@ type: keyword **`salesforce.logout.session.key`** -: The user’s unique session ID. You can use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. +: The user's unique session ID. You can use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. type: keyword @@ -496,7 +494,7 @@ type: keyword **`salesforce.logout.login_key`** -: The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. +: The string that ties together all events in a given user's login session. It starts with a login event and ends with either a logout event or the user session expiring. type: keyword @@ -508,7 +506,7 @@ type: keyword **`salesforce.logout.api.version`** -: The version of the Salesforce API that’s being used. +: The version of the Salesforce API that's being used. type: keyword @@ -556,19 +554,19 @@ type: keyword **`salesforce.logout.user_id`** -: The 15-character ID of the user who’s using Salesforce services through the UI or the API. +: The 15-character ID of the user who's using Salesforce services through the UI or the API. type: keyword **`salesforce.logout.user_id_derived`** -: The 18-character case-safe ID of the user who’s using Salesforce services through the UI or the API. +: The 18-character case-safe ID of the user who's using Salesforce services through the UI or the API. type: keyword **`salesforce.logout.user_initiated_logout`** -: The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user’s session timed out due to inactivity or another implicit logout action, the value is 0. +: The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user's session timed out due to inactivity or another implicit logout action, the value is 0. type: keyword @@ -591,8 +589,7 @@ type: keyword type: keyword - -## salesforce.setup_audit_trail [_salesforce_setup_audit_trail] +## salesforce.setup_audit_trail [_salesforce.setup_audit_trail] Fileset for ingesting Salesforce SetupAuditTrail logs. @@ -621,7 +618,7 @@ type: keyword **`salesforce.setup_audit_trail.delegate_user`** -: The Login-As user who executed the action in Setup. If a Login-As user didn’t perform the action, this field is blank. This field is available in API version 35.0 and later. +: The Login-As user who executed the action in Setup. If a Login-As user didn't perform the action, this field is blank. This field is available in API version 35.0 and later. type: keyword diff --git a/docs/reference/filebeat/exported-fields-santa.md b/docs/reference/filebeat/exported-fields-santa.md index ef58370052bc..f334daf5f58e 100644 --- a/docs/reference/filebeat/exported-fields-santa.md +++ b/docs/reference/filebeat/exported-fields-santa.md @@ -3,13 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-santa.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Google Santa fields [exported-fields-santa] Santa Module - ## santa [_santa] + + **`santa.action`** : Action @@ -42,7 +45,6 @@ type: keyword example: M - ## disk [_disk] Fields for DISKAPPEAR actions. diff --git a/docs/reference/filebeat/exported-fields-snyk.md b/docs/reference/filebeat/exported-fields-snyk.md index d19da3d68af2..221486aea366 100644 --- a/docs/reference/filebeat/exported-fields-snyk.md +++ b/docs/reference/filebeat/exported-fields-snyk.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-snyk.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Snyk fields [exported-fields-snyk] Snyk module - ## snyk [_snyk] Module for parsing Snyk project vulnerabilities. @@ -19,13 +20,12 @@ type: flattened **`snyk.related.projects`** -: Array of all the related project ID’s. +: Array of all the related project ID's. type: keyword - -## audit [_audit_5] +## audit [_audit] Module for parsing Snyk audit logs. @@ -47,7 +47,6 @@ type: keyword type: flattened - ## vulnerabilities [_vulnerabilities] Module for parsing Snyk project vulnerabilities. @@ -107,7 +106,7 @@ type: boolean **`snyk.vulnerabilities.language`** -: The package’s programming language. +: The package's programming language. type: keyword diff --git a/docs/reference/filebeat/exported-fields-sophos.md b/docs/reference/filebeat/exported-fields-sophos.md index d8b805f4b101..015c419a1a11 100644 --- a/docs/reference/filebeat/exported-fields-sophos.md +++ b/docs/reference/filebeat/exported-fields-sophos.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-sophos.html --- +% This file is generated! See scripts/generate_fields_docs.py + # sophos fields [exported-fields-sophos] sophos Module - -## sophos.xg [_sophos_xg] +## sophos.xg [_sophos.xg] Module for parsing sophosxg syslog. diff --git a/docs/reference/filebeat/exported-fields-suricata.md b/docs/reference/filebeat/exported-fields-suricata.md index 685bb47faf72..e9005d0c6707 100644 --- a/docs/reference/filebeat/exported-fields-suricata.md +++ b/docs/reference/filebeat/exported-fields-suricata.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-suricata.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Suricata fields [exported-fields-suricata] Module for handling the EVE JSON logs produced by Suricata. - ## suricata [_suricata] Fields from the Suricata EVE log file. - ## eve [_eve] Fields exported by the EVE JSON logs diff --git a/docs/reference/filebeat/exported-fields-system.md b/docs/reference/filebeat/exported-fields-system.md index b0021fd1a8bb..46e902510178 100644 --- a/docs/reference/filebeat/exported-fields-system.md +++ b/docs/reference/filebeat/exported-fields-system.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-system.html --- +% This file is generated! See scripts/generate_fields_docs.py + # System fields [exported-fields-system] Module for parsing system log files. - ## system [_system] Fields from the system log files. - -## auth [_auth_2] +## auth [_auth] Fields from the Linux authorization logs. @@ -121,7 +121,6 @@ alias to: source.geo.city_name alias to: source.geo.region_iso_code - ## sudo [_sudo] Fields specific to events created by the `sudo` command. @@ -150,7 +149,6 @@ example: root : The command executed via sudo. - ## useradd [_useradd] Fields specific to events created by the `useradd` command. @@ -181,7 +179,6 @@ alias to: user.id alias to: group.id - ## groupadd [_groupadd] Fields specific to events created by the `groupadd` command. @@ -198,8 +195,7 @@ alias to: group.name alias to: group.id - -## syslog [_syslog_3] +## syslog [_syslog] Contains fields from the syslog system logs. diff --git a/docs/reference/filebeat/exported-fields-threatintel.md b/docs/reference/filebeat/exported-fields-threatintel.md index 20a9378de79b..d1a44f95c89f 100644 --- a/docs/reference/filebeat/exported-fields-threatintel.md +++ b/docs/reference/filebeat/exported-fields-threatintel.md @@ -3,18 +3,20 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-threatintel.html --- +% This file is generated! See scripts/generate_fields_docs.py + # threatintel fields [exported-fields-threatintel] Threat intelligence Filebeat Module. **`threat.indicator.file.hash.tlsh`** -: The file’s import tlsh, if available. +: The file's import tlsh, if available. type: keyword **`threat.indicator.file.hash.sha384`** -: The file’s sha384 hash, if available. +: The file's sha384 hash, if available. type: keyword @@ -27,8 +29,7 @@ type: keyword : type: keyword - -## abusech.malware [_abusech_malware] +## abusech.malware [_abusech.malware] Fields for AbuseCH Malware Threat Intel @@ -68,8 +69,7 @@ type: float type: keyword - -## abusech.url [_abusech_url] +## abusech.url [_abusech.url] Fields for AbuseCH Malware Threat Intel @@ -127,8 +127,7 @@ type: boolean type: keyword - -## anomali.limo [_anomali_limo] +## anomali.limo [_anomali.limo] Fields for Anomali Threat Intel @@ -204,8 +203,7 @@ type: keyword type: keyword - -## anomali.threatstream [_anomali_threatstream] +## anomali.threatstream [_anomali.threatstream] Fields for Anomali ThreatStream @@ -218,7 +216,7 @@ example: private **`anomali.threatstream.confidence`** -: The measure of the accuracy (from 0 to 100) assigned by ThreatStream’s predictive analytics technology to indicators. +: The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. type: short @@ -319,8 +317,7 @@ type: keyword type: keyword - -## abusech.malwarebazaar [_abusech_malwarebazaar] +## abusech.malwarebazaar [_abusech.malwarebazaar] Fields for Malware Bazaar Threat Intel @@ -378,8 +375,7 @@ type: long type: nested - -## misp [_misp_2] +## misp [_misp] Fields for MISP Threat Intel @@ -713,7 +709,6 @@ type: keyword type: keyword - ## otx [_otx] Fields for OTX Threat Intel @@ -754,7 +749,6 @@ type: keyword type: keyword - ## threatq [_threatq] Fields for ThreatQ Threat Library diff --git a/docs/reference/filebeat/exported-fields-traefik.md b/docs/reference/filebeat/exported-fields-traefik.md index 7a9a5805f8bd..239b48135df5 100644 --- a/docs/reference/filebeat/exported-fields-traefik.md +++ b/docs/reference/filebeat/exported-fields-traefik.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-traefik.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Traefik fields [exported-fields-traefik] Module for parsing the Traefik log files. - ## traefik [_traefik] Fields from the Traefik log files. - -## access [_access_4] +## access [_access] Contains fields for the Traefik access logs. diff --git a/docs/reference/filebeat/exported-fields-winlog.md b/docs/reference/filebeat/exported-fields-winlog.md index 53147bd3bfb3..572499586d46 100644 --- a/docs/reference/filebeat/exported-fields-winlog.md +++ b/docs/reference/filebeat/exported-fields-winlog.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-winlog.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Windows ETW fields [exported-fields-winlog] Fields from the ETW input (Event Tracing for Windows). - ## winlog [_winlog] All fields specific to the Windows Event Tracing are defined here. @@ -45,7 +46,7 @@ required: False **`winlog.keywords`** -: The keywords are used to indicate an event’s membership in a set of event categories. +: The keywords are used to indicate an event's membership in a set of event categories. type: keyword diff --git a/docs/reference/filebeat/exported-fields-zeek.md b/docs/reference/filebeat/exported-fields-zeek.md index 635656ef6452..c1f053e79183 100644 --- a/docs/reference/filebeat/exported-fields-zeek.md +++ b/docs/reference/filebeat/exported-fields-zeek.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Zeek fields [exported-fields-zeek] Module for handling logs produced by Zeek/Bro - ## zeek [_zeek] Fields from Zeek/Bro logs after normalization @@ -18,7 +19,6 @@ Fields from Zeek/Bro logs after normalization type: keyword - ## capture_loss [_capture_loss] Fields exported by the Zeek capture_loss log @@ -48,12 +48,11 @@ type: integer **`zeek.capture_loss.percent_lost`** -: Percentage of ACKs seen where the data being ACKed wasn’t seen. +: Percentage of ACKs seen where the data being ACKed wasn't seen. type: double - ## connection [_connection] Fields exported by the Zeek Connection log @@ -118,13 +117,12 @@ type: integer type: integer - ## dce_rpc [_dce_rpc] Fields exported by the Zeek DCE_RPC log **`zeek.dce_rpc.rtt`** -: Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null. +: Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. type: integer @@ -147,7 +145,6 @@ type: keyword type: keyword - ## dhcp [_dhcp] Fields exported by the Zeek DHCP log @@ -182,7 +179,6 @@ type: keyword type: integer - ## address [_address] Addresses seen in this DHCP exchange. @@ -200,7 +196,7 @@ type: ip **`zeek.dhcp.address.mac`** -: Client’s hardware address. +: Client's hardware address. type: keyword @@ -266,12 +262,11 @@ type: keyword **`zeek.dhcp.id.subscriber`** -: (present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer’s DHCP configuration can be given to them correctly no matter where they are physically connected. +: (present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer's DHCP configuration can be given to them correctly no matter where they are physically connected. type: keyword - ## dnp3 [_dnp3] Fields exported by the Zeek DNP3 log @@ -289,13 +284,12 @@ type: keyword **`zeek.dnp3.id`** -: The response’s internal indication number. +: The response's internal indication number. type: integer - -## dns [_dns_2] +## dns [_dns] Fields exported by the Zeek DNS log @@ -419,7 +413,6 @@ type: boolean type: boolean - ## dpd [_dpd] Fields exported by the Zeek DPD log @@ -442,7 +435,6 @@ type: keyword type: keyword - ## files [_files] Fields exported by the Zeek Files log. @@ -538,7 +530,7 @@ type: long **`zeek.files.overflow_bytes`** -: The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled. +: The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. type: long @@ -597,7 +589,6 @@ type: long type: double - ## ftp [_ftp] Fields exported by the Zeek FTP log @@ -656,7 +647,6 @@ type: integer type: keyword - ## data_channel [_data_channel] Expected FTP data channel. @@ -686,12 +676,11 @@ type: integer **`zeek.ftp.cwd`** -: Current working directory that this session is in. By making the default value *.*, we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. +: Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. type: keyword - ## cmdarg [_cmdarg] Command that is currently waiting for a response. @@ -738,8 +727,7 @@ type: boolean type: keyword - -## http [_http_3] +## http [_http] Fields exported by the Zeek HTTP log @@ -857,7 +845,6 @@ type: integer type: integer - ## intel [_intel] Fields exported by the Zeek Intel log. @@ -946,7 +933,6 @@ type: keyword type: keyword - ## irc [_irc] Fields exported by the Zeek IRC log @@ -1005,8 +991,7 @@ type: keyword type: keyword - -## kerberos [_kerberos_3] +## kerberos [_kerberos] Fields exported by the Zeek Kerberos log @@ -1130,7 +1115,6 @@ type: keyword type: keyword - ## modbus [_modbus] Fields exported by the Zeek modbus log. @@ -1153,8 +1137,7 @@ type: keyword type: integer - -## mysql [_mysql_2] +## mysql [_mysql] Fields exported by the Zeek MySQL log. @@ -1188,7 +1171,6 @@ type: integer type: keyword - ## notice [_notice] Fields exported by the Zeek Notice log. @@ -1254,7 +1236,7 @@ type: long **`zeek.notice.file.overflow_bytes`** -: The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled. +: The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. type: long @@ -1337,7 +1319,6 @@ type: double type: boolean - ## ntlm [_ntlm] Fields exported by the Zeek NTLM log. @@ -1384,7 +1365,6 @@ type: keyword type: keyword - ## ntp [_ntp] Fields exported by the Zeek NTP log. @@ -1467,10 +1447,10 @@ type: date type: integer - ## ocsp [_ocsp] -Fields exported by the Zeek OCSP log Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. +Fields exported by the Zeek OCSP log +Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. **`zeek.ocsp.file_id`** : File id of the OCSP reply. @@ -1485,13 +1465,13 @@ type: keyword **`zeek.ocsp.hash.issuer.name`** -: Hash of the issuer’s distingueshed name. +: Hash of the issuer's distingueshed name. type: keyword **`zeek.ocsp.hash.issuer.key`** -: Hash of the issuer’s public key. +: Hash of the issuer's public key. type: keyword @@ -1532,13 +1512,12 @@ type: date type: date - -## pe [_pe_2] +## pe [_pe] Fields exported by the Zeek pe log. **`zeek.pe.client`** -: The client’s version string. +: The client's version string. type: keyword @@ -1639,7 +1618,6 @@ type: boolean type: keyword - ## radius [_radius] Fields exported by the Zeek Radius log. @@ -1698,7 +1676,6 @@ type: integer type: boolean - ## rdp [_rdp] Fields exported by the Zeek RDP log. @@ -1710,7 +1687,7 @@ type: keyword **`zeek.rdp.result`** -: Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages. +: Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. type: keyword @@ -1805,7 +1782,6 @@ type: boolean type: boolean - ## rfb [_rfb] Fields exported by the Zeek RFB log. @@ -1870,7 +1846,6 @@ type: integer type: integer - ## signature [_signature] Fields exported by the Zeek Signature log. @@ -1911,7 +1886,6 @@ type: integer type: integer - ## sip [_sip] Fields exported by the Zeek SIP log. @@ -1947,7 +1921,7 @@ type: keyword **`zeek.sip.request.from`** -: Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged. +: Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. type: keyword @@ -1971,7 +1945,7 @@ type: long **`zeek.sip.response.from`** -: Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged. +: Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. type: keyword @@ -2042,7 +2016,6 @@ type: keyword type: keyword - ## smb_cmd [_smb_cmd] Fields exported by the Zeek smb_cmd log. @@ -2066,7 +2039,7 @@ type: keyword **`zeek.smb_cmd.status`** -: Server reply to the client’s command. +: Server reply to the client's command. type: keyword @@ -2101,8 +2074,7 @@ type: keyword type: keyword - -## file [_file_4] +## file [_file] If the command referenced a file, store it here. @@ -2148,7 +2120,6 @@ type: keyword type: integer - ## smb_files [_smb_files] Fields exported by the Zeek SMB Files log. @@ -2178,7 +2149,7 @@ type: keyword **`zeek.smb_files.previous_name`** -: If the rename action was seen, this will be the file’s previous name. +: If the rename action was seen, this will be the file's previous name. type: keyword @@ -2189,31 +2160,30 @@ type: keyword type: long - ## times [_times] Timestamps of the file. **`zeek.smb_files.times.accessed`** -: The file’s access time. +: The file's access time. type: date **`zeek.smb_files.times.changed`** -: The file’s change time. +: The file's change time. type: date **`zeek.smb_files.times.created`** -: The file’s create time. +: The file's create time. type: date **`zeek.smb_files.times.modified`** -: The file’s modify time. +: The file's modify time. type: date @@ -2224,7 +2194,6 @@ type: date type: keyword - ## smb_mapping [_smb_mapping] Fields exported by the Zeek SMB_Mapping log. @@ -2253,7 +2222,6 @@ type: keyword type: keyword - ## smtp [_smtp] Fields exported by the Zeek SMTP log. @@ -2396,7 +2364,6 @@ type: keyword type: boolean - ## snmp [_snmp] Fields exported by the Zeek SNMP log. @@ -2414,7 +2381,7 @@ type: keyword **`zeek.snmp.community`** -: The community string of the first SNMP packet associated with the session. This is used as part of SNMP’s (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. +: The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. type: keyword @@ -2450,12 +2417,11 @@ type: keyword **`zeek.snmp.up_since`** -: The time at which the SNMP responder endpoint claims it’s been up since. +: The time at which the SNMP responder endpoint claims it's been up since. type: date - ## socks [_socks] Fields exported by the Zeek SOCKS log. @@ -2514,13 +2480,12 @@ type: integer type: boolean - ## ssh [_ssh] Fields exported by the Zeek SSH log. **`zeek.ssh.client`** -: The client’s version string. +: The client's version string. type: keyword @@ -2532,13 +2497,13 @@ type: keyword **`zeek.ssh.host_key`** -: The server’s key thumbprint. +: The server's key thumbprint. type: keyword **`zeek.ssh.server`** -: The server’s version string. +: The server's version string. type: keyword @@ -2549,7 +2514,6 @@ type: keyword type: integer - ## algorithm [_algorithm] Cipher algorithms used in this session. @@ -2567,7 +2531,7 @@ type: keyword **`zeek.ssh.algorithm.host_key`** -: The server host key’s algorithm. +: The server host key's algorithm. type: keyword @@ -2585,7 +2549,7 @@ type: keyword **`zeek.ssh.auth.attempts`** -: The number of authentication attemps we observed. There’s always at least one, since some servers might support no authentication at all. It’s important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey). +: The number of authentication attemps we observed. There's always at least one, since some servers might support no authentication at all. It's important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey). type: integer @@ -2596,8 +2560,7 @@ type: integer type: boolean - -## ssl [_ssl_8] +## ssl [_ssl] Fields exported by the Zeek SSL log. @@ -2673,7 +2636,6 @@ type: keyword type: keyword - ## issuer [_issuer] Subject of the signer of the X.509 certificate offered by the server. @@ -2714,7 +2676,6 @@ type: keyword type: keyword - ## subject [_subject] Subject of the X.509 certificate offered by the server. @@ -2767,8 +2728,7 @@ type: keyword type: keyword - -## issuer [_issuer_2] +## issuer [_issuer] Subject of the signer of the X.509 certificate offered by the client. @@ -2808,8 +2768,7 @@ type: keyword type: keyword - -## subject [_subject_2] +## subject [_subject] Subject of the X.509 certificate offered by the client. @@ -2849,8 +2808,7 @@ type: keyword type: keyword - -## stats [_stats_2] +## stats [_stats] Fields exported by the Zeek stats log. @@ -3004,8 +2962,7 @@ type: integer type: integer - -## syslog [_syslog_4] +## syslog [_syslog] Fields exported by the Zeek syslog log. @@ -3027,7 +2984,6 @@ type: keyword type: keyword - ## tunnel [_tunnel] Fields exported by the Zeek SSH log. @@ -3044,7 +3000,6 @@ type: keyword type: keyword - ## weird [_weird] Fields exported by the Zeek Weird log. @@ -3079,8 +3034,7 @@ type: keyword type: keyword - -## x509 [_x509_2] +## x509 [_x509] Fields exported by the Zeek x509 log. @@ -3090,8 +3044,7 @@ Fields exported by the Zeek x509 log. type: keyword - -## certificate [_certificate_2] +## certificate [_certificate] Basic information about the certificate. @@ -3107,8 +3060,7 @@ type: integer type: keyword - -## subject [_subject_3] +## subject [_subject] Subject. @@ -3148,8 +3100,7 @@ type: keyword type: keyword - -## issuer [_issuer_3] +## issuer [_issuer] Issuer. @@ -3195,7 +3146,6 @@ type: keyword type: keyword - ## valid [_valid] Certificate validity timestamps @@ -3248,7 +3198,6 @@ type: keyword type: keyword - ## san [_san] Subject alternative name extension of the certificate. @@ -3283,7 +3232,6 @@ type: ip type: boolean - ## basic_constraints [_basic_constraints] Basic constraints extension of the certificate. diff --git a/docs/reference/filebeat/exported-fields-zookeeper.md b/docs/reference/filebeat/exported-fields-zookeeper.md index 472be5994b44..3c4b5ddc3569 100644 --- a/docs/reference/filebeat/exported-fields-zookeeper.md +++ b/docs/reference/filebeat/exported-fields-zookeeper.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zookeeper.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ZooKeeper fields [exported-fields-zookeeper] ZooKeeper Module - ## zookeeper [_zookeeper] -## audit [_audit_6] + +## audit [_audit] ZooKeeper Audit logs. @@ -51,8 +53,7 @@ type: keyword type: keyword - -## log [_log_14] +## log [_log] ZooKeeper logs. diff --git a/docs/reference/filebeat/exported-fields-zoom.md b/docs/reference/filebeat/exported-fields-zoom.md index efc2777b95e4..41557520832f 100644 --- a/docs/reference/filebeat/exported-fields-zoom.md +++ b/docs/reference/filebeat/exported-fields-zoom.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zoom.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Zoom fields [exported-fields-zoom] Module for handling incoming Zoom webhook requests - ## zoom [_zoom] Module for parsing Zoom API Webhooks. diff --git a/docs/reference/filebeat/exported-fields.md b/docs/reference/filebeat/exported-fields.md index 7bfb7491a137..c544a59229a9 100644 --- a/docs/reference/filebeat/exported-fields.md +++ b/docs/reference/filebeat/exported-fields.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Exported fields [exported-fields] This document describes the fields that are exported by Filebeat. They are grouped in the following categories: @@ -76,4 +78,3 @@ This document describes the fields that are exported by Filebeat. They are group * [*Zeek fields*](/reference/filebeat/exported-fields-zeek.md) * [*ZooKeeper fields*](/reference/filebeat/exported-fields-zookeeper.md) * [*Zoom fields*](/reference/filebeat/exported-fields-zoom.md) - diff --git a/docs/reference/heartbeat/exported-fields-beat-common.md b/docs/reference/heartbeat/exported-fields-beat-common.md index f48f6093737b..480ec55f0a72 100644 --- a/docs/reference/heartbeat/exported-fields-beat-common.md +++ b/docs/reference/heartbeat/exported-fields-beat-common.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-beat-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Beat fields [exported-fields-beat-common] Contains common beat fields available in all event types. diff --git a/docs/reference/heartbeat/exported-fields-browser.md b/docs/reference/heartbeat/exported-fields-browser.md index 476142650835..a7dc0be177f0 100644 --- a/docs/reference/heartbeat/exported-fields-browser.md +++ b/docs/reference/heartbeat/exported-fields-browser.md @@ -3,21 +3,20 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-browser.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Synthetics browser metrics fields [exported-fields-browser] None - ## browser [_browser] Browser metrics and traces - ## experience [_experience] Absolute values of all user experience metrics in the browser relative to the navigation start event in microseconds - ## fcp [_fcp] duration of First contentful paint metric @@ -26,7 +25,6 @@ duration of First contentful paint metric : type: integer - ## lcp [_lcp] duration of Largest contentful paint metric @@ -35,7 +33,6 @@ duration of Largest contentful paint metric : type: integer - ## dcl [_dcl] duration of Document content loaded end event @@ -44,7 +41,6 @@ duration of Document content loaded end event : type: integer - ## load [_load] duration of Load end event @@ -59,7 +55,6 @@ duration of Load end event type: integer - ## relative_trace [_relative_trace] trace event with timing information that are realtive to journey timings in microseconds @@ -76,7 +71,6 @@ type: keyword type: text - ## start [_start] monotonically increasing trace start time in microseconds @@ -85,7 +79,6 @@ monotonically increasing trace start time in microseconds : type: long - ## duration [_duration] duration of the trace event in microseconds. diff --git a/docs/reference/heartbeat/exported-fields-cloud.md b/docs/reference/heartbeat/exported-fields-cloud.md index d905617a9508..711a8f4c80d0 100644 --- a/docs/reference/heartbeat/exported-fields-cloud.md +++ b/docs/reference/heartbeat/exported-fields-cloud.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-cloud.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Cloud provider metadata fields [exported-fields-cloud] Metadata from cloud providers added by the add_cloud_metadata processor. diff --git a/docs/reference/heartbeat/exported-fields-common.md b/docs/reference/heartbeat/exported-fields-common.md index 6d939c7ab60d..dd59e3c313bb 100644 --- a/docs/reference/heartbeat/exported-fields-common.md +++ b/docs/reference/heartbeat/exported-fields-common.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Common heartbeat monitor fields [exported-fields-common] None - ## monitor [_monitor] Common monitor fields. @@ -38,8 +39,7 @@ type: keyword : type: text - -## duration [_duration_2] +## duration [_duration] Total monitoring test duration @@ -97,7 +97,6 @@ type: date_range type: keyword - ## project [_project] Project info for this monitor diff --git a/docs/reference/heartbeat/exported-fields-docker-processor.md b/docs/reference/heartbeat/exported-fields-docker-processor.md index c985d77d8c1d..34dbe52dc001 100644 --- a/docs/reference/heartbeat/exported-fields-docker-processor.md +++ b/docs/reference/heartbeat/exported-fields-docker-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-docker-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Docker fields [exported-fields-docker-processor] Docker stats collected from Docker. diff --git a/docs/reference/heartbeat/exported-fields-ecs.md b/docs/reference/heartbeat/exported-fields-ecs.md index 97dce77f1fe0..7996c56455f4 100644 --- a/docs/reference/heartbeat/exported-fields-ecs.md +++ b/docs/reference/heartbeat/exported-fields-ecs.md @@ -3,14 +3,18 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-ecs.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ECS fields [exported-fields-ecs] -This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {{es}}. -This is an exhaustive list, and fields listed here are not necessarily used by Heartbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events. +This is an exhaustive list, and fields listed here are not necessarily used by Heartbeat. +The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. See the [ECS reference](ecs://reference/index.md) for more information. - **`@timestamp`** : Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. @@ -45,10 +49,10 @@ type: keyword example: ["production", "env2"] - ## agent [_agent] -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. **`agent.build.original`** : Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. @@ -98,7 +102,6 @@ type: keyword example: 6.0.0-rc2 - ## as [_as] An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. @@ -123,10 +126,11 @@ example: Google LLC : type: match_only_text - ## client [_client] -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`client.address`** : Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -181,7 +185,7 @@ example: Montreal **`client.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -305,7 +309,7 @@ format: string **`client.registered_domain`** -: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -321,7 +325,7 @@ example: east **`client.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -341,7 +345,7 @@ type: keyword **`client.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -404,7 +408,6 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## cloud [_cloud] Fields related to the cloud or infrastructure the events are coming from. @@ -667,7 +670,6 @@ type: keyword example: lambda - ## code_signature [_code_signature] These fields contain information about binary code signatures. @@ -744,7 +746,6 @@ type: boolean example: true - ## container [_container] Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -823,13 +824,14 @@ type: keyword example: docker - ## data_stream [_data_stream] -The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create). +The data_stream fields take part in defining the new data stream naming scheme. +In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. +An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. **`data_stream.dataset`** -: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters +: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -837,7 +839,7 @@ example: nginx.access **`data_stream.namespace`** -: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters +: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -852,10 +854,10 @@ type: constant_keyword example: logs - ## destination [_destination] -Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`destination.address`** : Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -910,7 +912,7 @@ example: Montreal **`destination.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -1034,7 +1036,7 @@ format: string **`destination.registered_domain`** -: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1050,7 +1052,7 @@ example: east **`destination.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1070,7 +1072,7 @@ type: keyword **`destination.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -1133,12 +1135,14 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## dll [_dll] These fields contain information about code libraries dynamically loaded into processes. -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS **`dll.code_signature.digest_algorithm`** : The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. @@ -1291,7 +1295,7 @@ example: 6.3.9600.17415 **`dll.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -1314,10 +1318,10 @@ type: keyword example: Microsoft® Windows® Operating System - ## dns [_dns] -Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). **`dns.answers`** : An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. @@ -1342,7 +1346,7 @@ example: 10.10.10.10 **`dns.answers.name`** -: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated. +: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. type: keyword @@ -1406,7 +1410,7 @@ example: www.example.com **`dns.question.registered_domain`** -: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1422,7 +1426,7 @@ example: www **`dns.question.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1461,13 +1465,12 @@ type: keyword example: answer - ## ecs [_ecs] Meta-information specific to ECS. **`ecs.version`** -: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events. +: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword @@ -1476,7 +1479,6 @@ example: 1.0.0 required: True - ## elf [_elf] These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -1506,7 +1508,7 @@ example: Intel **`elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -1673,10 +1675,10 @@ type: keyword type: keyword - ## error [_error] -These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. **`error.code`** : Error code describing the error. @@ -1714,10 +1716,10 @@ type: keyword example: java.lang.NullPointerException - ## event [_event] -The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. **`event.action`** : The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. @@ -1728,7 +1730,7 @@ example: user-password-change **`event.agent_id_status`** -: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. +: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. type: keyword @@ -1752,7 +1754,7 @@ example: 4648 **`event.created`** -: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. type: date @@ -1760,7 +1762,7 @@ example: 2016-05-23T08:05:34.857Z **`event.dataset`** -: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. +: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword @@ -1798,7 +1800,7 @@ example: 8a4f500d **`event.ingested`** -: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. type: date @@ -1826,7 +1828,7 @@ example: apache type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 Field is not indexed. @@ -1860,11 +1862,11 @@ example: Terminated an unexpected process type: keyword -example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234) +example: https://system.example.com/event/#0001234 **`event.risk_score`** -: Risk score or priority of the event (e.g. security solutions). Use your system’s original value here. +: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1884,7 +1886,7 @@ format: string **`event.severity`** -: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. +: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. type: long @@ -1900,7 +1902,7 @@ type: date **`event.timezone`** -: This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +: This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). type: keyword @@ -1916,8 +1918,7 @@ type: keyword type: keyword -example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe) - +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe ## faas [_faas] @@ -1953,17 +1954,17 @@ example: 123456789 **`faas.trigger.type`** -: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other +: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other type: keyword example: http - ## file [_file] -A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. **`file.accessed`** : Last time the file was accessed. Note that not all filesystems keep track of access time. @@ -1972,7 +1973,7 @@ type: date **`file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -2112,7 +2113,7 @@ example: Intel **`file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -2350,7 +2351,7 @@ example: 256383 **`file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -2378,7 +2379,7 @@ example: example.png **`file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -2430,7 +2431,7 @@ example: 6.3.9600.17415 **`file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -2504,7 +2505,7 @@ example: Example SHA2 High Assurance Server CA **`file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -2610,7 +2611,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -2626,7 +2627,7 @@ example: shared.global.example.net **`file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -2679,10 +2680,10 @@ type: keyword example: 3 - ## geo [_geo] -Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. **`geo.city_name`** : City name. @@ -2693,7 +2694,7 @@ example: Montreal **`geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -2772,7 +2773,6 @@ type: keyword example: America/Argentina/Buenos_Aires - ## group [_group] The group fields are meant to represent groups that are relevant to the event. @@ -2795,10 +2795,11 @@ type: keyword type: keyword - ## hash [_hash] -The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). +The hash fields represent different bitwise hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). **`hash.md5`** : MD5 hash. @@ -2830,10 +2831,10 @@ type: keyword type: keyword - ## host [_host] -A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. **`host.architecture`** : Operating system architecture. @@ -2862,7 +2863,7 @@ type: long **`host.domain`** -: Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. +: Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword @@ -2878,7 +2879,7 @@ example: Montreal **`host.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3062,7 +3063,7 @@ example: darwin **`host.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3091,7 +3092,6 @@ type: long example: 1325 - ## http [_http] Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3145,7 +3145,7 @@ example: POST **`http.request.mime_type`** -: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients. +: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. type: keyword @@ -3157,7 +3157,7 @@ example: image/gif type: keyword -example: [https://blog.example.com/](https://blog.example.com/) +example: https://blog.example.com/ **`http.response.body.bytes`** @@ -3193,7 +3193,7 @@ format: bytes **`http.response.mime_type`** -: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers. +: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. type: keyword @@ -3218,7 +3218,6 @@ type: keyword example: 1.1 - ## interface [_interface] The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. @@ -3247,13 +3246,14 @@ type: keyword example: eth0 - ## log [_log] -Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. **`log.file.path`** -: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. +: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. type: keyword @@ -3261,7 +3261,7 @@ example: /var/log/fun-times.log **`log.level`** -: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. +: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. type: keyword @@ -3335,7 +3335,7 @@ format: string **`log.syslog.severity.code`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. type: long @@ -3343,20 +3343,20 @@ example: 3 **`log.syslog.severity.name`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword example: Error - ## network [_network] -The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. **`network.application`** -: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. +: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. type: keyword @@ -3374,7 +3374,7 @@ format: bytes **`network.community_id`** -: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec). +: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. type: keyword @@ -3382,9 +3382,7 @@ example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= **`network.direction`** -: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown - -When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. +: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. type: keyword @@ -3400,7 +3398,7 @@ example: 192.1.1.2 **`network.iana_number`** -: IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword @@ -3485,10 +3483,10 @@ type: keyword example: outside - ## observer [_observer] -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. **`observer.egress`** : Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. @@ -3553,7 +3551,7 @@ example: Montreal **`observer.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3763,7 +3761,7 @@ example: darwin **`observer.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3814,7 +3812,6 @@ example: Symantec type: keyword - ## orchestrator [_orchestrator] Fields that describe the resources which container orchestrators manage or act upon. @@ -3885,10 +3882,10 @@ type: keyword example: kubernetes - ## organization [_organization] -The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. **`organization.id`** : Unique identifier for the organization. @@ -3906,7 +3903,6 @@ type: keyword : type: match_only_text - ## os [_os] The OS fields contain information about the operating system. @@ -3960,7 +3956,7 @@ example: darwin **`os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3975,7 +3971,6 @@ type: keyword example: 10.14.1 - ## package [_package] These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. @@ -4027,7 +4022,7 @@ type: date **`package.license`** -: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)). +: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword @@ -4055,7 +4050,7 @@ example: /usr/local/Cellar/go/1.12.9/ type: keyword -example: [https://golang.org](https://golang.org) +example: https://golang.org **`package.size`** @@ -4084,7 +4079,6 @@ type: keyword example: 1.12.9 - ## pe [_pe] These fields contain Windows Portable Executable (PE) metadata. @@ -4122,7 +4116,7 @@ example: 6.3.9600.17415 **`pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -4145,10 +4139,10 @@ type: keyword example: Microsoft® Windows® Operating System - ## process [_process] -These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. **`process.args`** : Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. @@ -4275,7 +4269,7 @@ example: Intel **`process.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4645,7 +4639,7 @@ example: Intel **`process.parent.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4923,7 +4917,7 @@ example: 6.3.9600.17415 **`process.parent.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5053,7 +5047,7 @@ example: 6.3.9600.17415 **`process.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5150,7 +5144,6 @@ example: /home/alice : type: match_only_text - ## registry [_registry] Fields related to Windows Registry operations. @@ -5211,13 +5204,14 @@ type: keyword example: Debugger - ## related [_related] -This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. **`related.hash`** -: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search). +: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). type: keyword @@ -5240,10 +5234,10 @@ type: ip type: keyword - ## rule [_rule] -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. **`rule.author`** : Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. @@ -5294,11 +5288,11 @@ example: BLOCK_DNS_over_TLS **`rule.reference`** -: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. +: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. type: keyword -example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) +example: https://en.wikipedia.org/wiki/DNS_over_TLS **`rule.ruleset`** @@ -5325,10 +5319,11 @@ type: keyword example: 1.1 - ## server [_server] -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`server.address`** : Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5383,7 +5378,7 @@ example: Montreal **`server.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -5507,7 +5502,7 @@ format: string **`server.registered_domain`** -: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -5523,7 +5518,7 @@ example: east **`server.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5543,7 +5538,7 @@ type: keyword **`server.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -5606,10 +5601,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## service [_service] -The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. **`service.address`** : Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). @@ -5652,7 +5647,7 @@ example: elasticsearch-metrics **`service.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5700,7 +5695,7 @@ example: elasticsearch-metrics **`service.origin.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5776,7 +5771,7 @@ example: elasticsearch-metrics **`service.target.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5821,10 +5816,10 @@ type: keyword example: 3.2.4 - ## source [_source] -Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`source.address`** : Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5879,7 +5874,7 @@ example: Montreal **`source.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6003,7 +5998,7 @@ format: string **`source.registered_domain`** -: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -6019,7 +6014,7 @@ example: east **`source.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6039,7 +6034,7 @@ type: keyword **`source.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -6102,10 +6097,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## threat [_threat] -Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). **`threat.enrichments`** : A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -6140,7 +6135,7 @@ example: Google LLC **`threat.enrichments.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -6160,7 +6155,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.enrichments.indicator.file.accessed`** @@ -6170,7 +6165,7 @@ type: date **`threat.enrichments.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -6310,7 +6305,7 @@ example: Intel **`threat.enrichments.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -6548,7 +6543,7 @@ example: 256383 **`threat.enrichments.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -6576,7 +6571,7 @@ example: example.png **`threat.enrichments.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -6628,7 +6623,7 @@ example: 6.3.9600.17415 **`threat.enrichments.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -6702,7 +6697,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -6808,7 +6803,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -6824,7 +6819,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -6894,7 +6889,7 @@ example: Montreal **`threat.enrichments.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6990,7 +6985,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.enrichments.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -7014,7 +7009,7 @@ example: 443 **`threat.enrichments.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -7026,7 +7021,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.enrichments.indicator.registry.data.bytes`** @@ -7102,7 +7097,7 @@ example: 20 **`threat.enrichments.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -7136,7 +7131,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.enrichments.indicator.url.full.text`** @@ -7148,7 +7143,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.enrichments.indicator.url.original.text`** @@ -7184,7 +7179,7 @@ type: keyword **`threat.enrichments.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -7208,7 +7203,7 @@ example: east **`threat.enrichments.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7238,7 +7233,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -7344,7 +7339,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -7360,7 +7355,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -7490,7 +7485,7 @@ example: FIN6 type: keyword -example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/) +example: https://attack.mitre.org/groups/G0037/ **`threat.indicator.as.number`** @@ -7514,7 +7509,7 @@ example: Google LLC **`threat.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -7534,7 +7529,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.indicator.file.accessed`** @@ -7544,7 +7539,7 @@ type: date **`threat.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -7684,7 +7679,7 @@ example: Intel **`threat.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -7922,7 +7917,7 @@ example: 256383 **`threat.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -7950,7 +7945,7 @@ example: example.png **`threat.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -8002,7 +7997,7 @@ example: 6.3.9600.17415 **`threat.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -8076,7 +8071,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8182,7 +8177,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8198,7 +8193,7 @@ example: shared.global.example.net **`threat.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8268,7 +8263,7 @@ example: Montreal **`threat.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -8364,7 +8359,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -8388,7 +8383,7 @@ example: 443 **`threat.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -8400,7 +8395,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.indicator.registry.data.bytes`** @@ -8476,7 +8471,7 @@ example: 20 **`threat.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -8510,7 +8505,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.indicator.url.full.text`** @@ -8522,7 +8517,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.indicator.url.original.text`** @@ -8558,7 +8553,7 @@ type: keyword **`threat.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -8582,7 +8577,7 @@ example: east **`threat.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8612,7 +8607,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8718,7 +8713,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8734,7 +8729,7 @@ example: shared.global.example.net **`threat.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8812,9 +8807,7 @@ example: AdFind **`threat.software.platforms`** -: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows - -While not required, you can use a MITRE ATT&CK® software platforms. +: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows While not required, you can use a MITRE ATT&CK® software platforms. type: keyword @@ -8826,22 +8819,19 @@ example: [ "Windows" ] type: keyword -example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/) +example: https://attack.mitre.org/software/S0552/ **`threat.software.type`** -: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool +: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool While not required, you can use a MITRE ATT&CK® software type. -``` -While not required, you can use a MITRE ATT&CK® software type. -``` type: keyword example: Tool **`threat.tactic.id`** -: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -8849,7 +8839,7 @@ example: TA0002 **`threat.tactic.name`** -: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)) +: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword @@ -8857,15 +8847,15 @@ example: Execution **`threat.tactic.reference`** -: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword -example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) +example: https://attack.mitre.org/tactics/TA0002/ **`threat.technique.id`** -: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8873,7 +8863,7 @@ example: T1059 **`threat.technique.name`** -: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8885,15 +8875,15 @@ example: Command and Scripting Interpreter **`threat.technique.reference`** -: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/) +example: https://attack.mitre.org/techniques/T1059/ **`threat.technique.subtechnique.id`** -: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8901,7 +8891,7 @@ example: T1059.001 **`threat.technique.subtechnique.name`** -: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8913,12 +8903,11 @@ example: PowerShell **`threat.technique.subtechnique.reference`** -: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/) - +example: https://attack.mitre.org/techniques/T1059/001/ ## tls [_tls] @@ -8938,7 +8927,7 @@ example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 type: keyword -example: MII… +example: MII... **`tls.client.certificate_chain`** @@ -8946,7 +8935,7 @@ example: MII… type: keyword -example: ["MII…", "MII…"] +example: ["MII...", "MII..."] **`tls.client.hash.md5`** @@ -9026,7 +9015,7 @@ example: CN=myclient, OU=Documentation Team, DC=example, DC=com type: keyword -example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…"] +example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] **`tls.client.x509.alternative_names`** @@ -9046,7 +9035,7 @@ example: Example SHA2 High Assurance Server CA **`tls.client.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9152,7 +9141,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.client.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9168,7 +9157,7 @@ example: shared.global.example.net **`tls.client.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9236,7 +9225,7 @@ type: boolean **`tls.next_protocol`** -: String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case. +: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword @@ -9254,7 +9243,7 @@ type: boolean type: keyword -example: MII… +example: MII... **`tls.server.certificate_chain`** @@ -9262,7 +9251,7 @@ example: MII… type: keyword -example: ["MII…", "MII…"] +example: ["MII...", "MII..."] **`tls.server.hash.md5`** @@ -9346,7 +9335,7 @@ example: Example SHA2 High Assurance Server CA **`tls.server.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9452,7 +9441,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.server.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9468,7 +9457,7 @@ example: shared.global.example.net **`tls.server.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9561,7 +9550,6 @@ type: keyword example: 00f067aa0ba902b7 - ## url [_url] URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -9593,7 +9581,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`url.full.text`** @@ -9605,7 +9593,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`url.original.text`** @@ -9641,7 +9629,7 @@ type: keyword **`url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -9665,7 +9653,7 @@ example: east **`url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9678,10 +9666,10 @@ example: co.uk type: keyword - ## user [_user] -The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. **`user.changes.domain`** : Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. @@ -9696,7 +9684,7 @@ type: keyword **`user.changes.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9778,7 +9766,7 @@ type: keyword **`user.effective.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9848,7 +9836,7 @@ type: keyword **`user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9924,7 +9912,7 @@ type: keyword **`user.target.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9987,10 +9975,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## user_agent [_user_agent] -The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. **`user_agent.device.name`** : Name of the device. @@ -10069,7 +10057,7 @@ example: darwin **`user_agent.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -10092,10 +10080,12 @@ type: keyword example: 12.0 - ## vlan [_vlan] -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. **`vlan.id`** : VLAN ID as reported by the observer. @@ -10113,13 +10103,12 @@ type: keyword example: outside - ## vulnerability [_vulnerability] The vulnerability fields describe information about a vulnerability that is relevant to an event. **`vulnerability.category`** -: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array. +: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. type: keyword @@ -10127,7 +10116,7 @@ example: ["Firewall"] **`vulnerability.classification`** -: The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/)) +: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword @@ -10135,11 +10124,11 @@ example: CVSS **`vulnerability.description`** -: The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)) +: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword -example: In macOS before 2.12.6, there is a vulnerability in the RPC… +example: In macOS before 2.12.6, there is a vulnerability in the RPC... **`vulnerability.description.text`** @@ -10147,7 +10136,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC… **`vulnerability.enumeration`** -: The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/)) +: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword @@ -10155,7 +10144,7 @@ example: CVE **`vulnerability.id`** -: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id)) +: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] type: keyword @@ -10167,7 +10156,7 @@ example: CVE-2019-00001 type: keyword -example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111) +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 **`vulnerability.report_id`** @@ -10187,7 +10176,7 @@ example: Tenable **`vulnerability.score.base`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) type: float @@ -10195,7 +10184,7 @@ example: 5.5 **`vulnerability.score.environmental`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) type: float @@ -10203,13 +10192,13 @@ example: 5.5 **`vulnerability.score.temporal`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) type: float **`vulnerability.score.version`** -: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword @@ -10217,17 +10206,18 @@ example: 2.0 **`vulnerability.severity`** -: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword example: Critical - ## x509 [_x509] -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. **`x509.alternative_names`** : List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. @@ -10246,7 +10236,7 @@ example: Example SHA2 High Assurance Server CA **`x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -10352,7 +10342,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -10368,7 +10358,7 @@ example: shared.global.example.net **`x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword diff --git a/docs/reference/heartbeat/exported-fields-host-processor.md b/docs/reference/heartbeat/exported-fields-host-processor.md index f665ac1f259f..e0f62cfee27b 100644 --- a/docs/reference/heartbeat/exported-fields-host-processor.md +++ b/docs/reference/heartbeat/exported-fields-host-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-host-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Host fields [exported-fields-host-processor] Info collected for the host machine. diff --git a/docs/reference/heartbeat/exported-fields-http.md b/docs/reference/heartbeat/exported-fields-http.md index 7017f693ad2e..677469f68a6d 100644 --- a/docs/reference/heartbeat/exported-fields-http.md +++ b/docs/reference/heartbeat/exported-fields-http.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-http.html --- +% This file is generated! See scripts/generate_fields_docs.py + # HTTP monitor fields [exported-fields-http] None - -## http [_http_2] +## http [_http] HTTP related fields. @@ -40,17 +41,19 @@ type: object Object is not enabled. - ## rtt [_rtt] HTTP layer round trip times. - ## validate [_validate] -Duration between first byte of HTTP request being written and response being processed by validator. Duration based on already available network connection. +Duration between first byte of HTTP request being written and +response being processed by validator. Duration based on already +available network connection. -Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body. +Note: if validator is not reading body or only a prefix, this + number does not fully represent the total time needed + to read the body. **`http.rtt.validate.us`** : Duration in microseconds @@ -58,12 +61,14 @@ Note: if validator is not reading body or only a prefix, this number does not fu type: long - ## validate_body [_validate_body] -Duration of validator required to read and validate the response body. +Duration of validator required to read and validate the response +body. -Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed to read the body. +Note: if validator is not reading body or only a prefix, this + number does not fully represent the total time needed + to read the body. **`http.rtt.validate_body.us`** : Duration in microseconds @@ -71,7 +76,6 @@ Note: if validator is not reading body or only a prefix, this number does not fu type: long - ## write_request [_write_request] Duration of sending the complete HTTP request. Duration based on already available network connection. @@ -82,7 +86,6 @@ Duration of sending the complete HTTP request. Duration based on already availab type: long - ## response_header [_response_header] Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. @@ -99,12 +102,14 @@ type: long type: long - ## total [_total] -Duration required to process the HTTP transaction. Starts with the initial TCP connection attempt. Ends with after validator did check the response. +Duration required to process the HTTP transaction. Starts with +the initial TCP connection attempt. Ends with after validator +did check the response. -Note: if validator is not reading body or only a prefix, this number does not fully represent the total time needed. +Note: if validator is not reading body or only a prefix, this + number does not fully represent the total time needed. **`http.rtt.total.us`** : Duration in microseconds diff --git a/docs/reference/heartbeat/exported-fields-icmp.md b/docs/reference/heartbeat/exported-fields-icmp.md index db28a3a11af8..d3c83b53b954 100644 --- a/docs/reference/heartbeat/exported-fields-icmp.md +++ b/docs/reference/heartbeat/exported-fields-icmp.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-icmp.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ICMP fields [exported-fields-icmp] None - ## icmp [_icmp] IP ping fields. @@ -18,8 +19,7 @@ IP ping fields. type: integer - -## rtt [_rtt_2] +## rtt [_rtt] ICMP Echo Request and Reply round trip time diff --git a/docs/reference/heartbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/heartbeat/exported-fields-jolokia-autodiscover.md index 3e623efe1407..882f3a2117a2 100644 --- a/docs/reference/heartbeat/exported-fields-jolokia-autodiscover.md +++ b/docs/reference/heartbeat/exported-fields-jolokia-autodiscover.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-jolokia-autodiscover.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover] Metadata from Jolokia Discovery added by the jolokia provider. @@ -26,7 +28,7 @@ type: keyword **`jolokia.server.version`** -: The container’s version (if detected). +: The container's version (if detected). type: keyword diff --git a/docs/reference/heartbeat/exported-fields-kubernetes-processor.md b/docs/reference/heartbeat/exported-fields-kubernetes-processor.md index db83915e2423..04373fb03f8c 100644 --- a/docs/reference/heartbeat/exported-fields-kubernetes-processor.md +++ b/docs/reference/heartbeat/exported-fields-kubernetes-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-kubernetes-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kubernetes fields [exported-fields-kubernetes-processor] Kubernetes metadata added by the kubernetes processor diff --git a/docs/reference/heartbeat/exported-fields-process.md b/docs/reference/heartbeat/exported-fields-process.md index ed06dc6435dd..847cca815c8f 100644 --- a/docs/reference/heartbeat/exported-fields-process.md +++ b/docs/reference/heartbeat/exported-fields-process.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-process.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Process fields [exported-fields-process] Process metadata fields @@ -13,7 +15,6 @@ Process metadata fields alias to: process.executable - ## owner [_owner] Process owner information. diff --git a/docs/reference/heartbeat/exported-fields-resolve.md b/docs/reference/heartbeat/exported-fields-resolve.md index 1beef91c6cf1..302590d48561 100644 --- a/docs/reference/heartbeat/exported-fields-resolve.md +++ b/docs/reference/heartbeat/exported-fields-resolve.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-resolve.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Host lookup fields [exported-fields-resolve] None - ## resolve [_resolve] Host lookup fields. @@ -26,8 +27,7 @@ alias to: url.domain type: ip - -## rtt [_rtt_3] +## rtt [_rtt] Duration required to resolve an IP from hostname. diff --git a/docs/reference/heartbeat/exported-fields-service.md b/docs/reference/heartbeat/exported-fields-service.md index 794fd2fb8a80..d7b5c0d3b9d6 100644 --- a/docs/reference/heartbeat/exported-fields-service.md +++ b/docs/reference/heartbeat/exported-fields-service.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-service.html --- +% This file is generated! See scripts/generate_fields_docs.py + # APM Service fields [exported-fields-service] None diff --git a/docs/reference/heartbeat/exported-fields-socks5.md b/docs/reference/heartbeat/exported-fields-socks5.md index 47e74c33eb57..8488c0b558e2 100644 --- a/docs/reference/heartbeat/exported-fields-socks5.md +++ b/docs/reference/heartbeat/exported-fields-socks5.md @@ -3,21 +3,20 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-socks5.html --- +% This file is generated! See scripts/generate_fields_docs.py + # SOCKS5 proxy fields [exported-fields-socks5] None - ## socks5 [_socks5] SOCKS5 proxy related fields: - -## rtt [_rtt_4] +## rtt [_rtt] TLS layer round trip times. - ## connect [_connect] Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy. diff --git a/docs/reference/heartbeat/exported-fields-state.md b/docs/reference/heartbeat/exported-fields-state.md index e1f507a02292..c6b7bf58851f 100644 --- a/docs/reference/heartbeat/exported-fields-state.md +++ b/docs/reference/heartbeat/exported-fields-state.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-state.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Monitor state fields [exported-fields-state] state related fields - ## state [_state] Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`. diff --git a/docs/reference/heartbeat/exported-fields-summary.md b/docs/reference/heartbeat/exported-fields-summary.md index ab96ab08496c..96170a7bc993 100644 --- a/docs/reference/heartbeat/exported-fields-summary.md +++ b/docs/reference/heartbeat/exported-fields-summary.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-summary.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Monitor summary fields [exported-fields-summary] None - ## summary [_summary] Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`. diff --git a/docs/reference/heartbeat/exported-fields-synthetics.md b/docs/reference/heartbeat/exported-fields-synthetics.md index c526d492904b..b2056f334f47 100644 --- a/docs/reference/heartbeat/exported-fields-synthetics.md +++ b/docs/reference/heartbeat/exported-fields-synthetics.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-synthetics.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Synthetics types fields [exported-fields-synthetics] None - ## synthetics [_synthetics] Synthetics related fields. @@ -60,8 +61,7 @@ type: keyword : type: keyword - -## duration [_duration_3] +## duration [_duration] Duration required to complete the step. @@ -85,8 +85,7 @@ type: integer type: keyword - -## duration [_duration_4] +## duration [_duration] Duration required to complete the journey. @@ -120,10 +119,9 @@ type: integer type: integer - ## blocks [_blocks] -Attributes representing individual screenshot blocks. Only hash is indexed since it’s the only one we’d query on. +Attributes representing individual screenshot blocks. Only hash is indexed since it's the only one we'd query on. **`synthetics.screenshot_ref.blocks.hash`** : Hash that uniquely identifies this image by content. Corresponds to block document id. diff --git a/docs/reference/heartbeat/exported-fields-tcp.md b/docs/reference/heartbeat/exported-fields-tcp.md index 719608b9a9f8..2f7d1f420572 100644 --- a/docs/reference/heartbeat/exported-fields-tcp.md +++ b/docs/reference/heartbeat/exported-fields-tcp.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-tcp.html --- +% This file is generated! See scripts/generate_fields_docs.py + # TCP layer fields [exported-fields-tcp] None - ## tcp [_tcp] TCP network layer related fields. @@ -20,13 +21,11 @@ type: alias alias to: url.port - -## rtt [_rtt_5] +## rtt [_rtt] TCP layer round trip times. - -## connect [_connect_2] +## connect [_connect] Duration required to establish a TCP connection based on already available IP address. @@ -36,8 +35,7 @@ Duration required to establish a TCP connection based on already available IP ad type: long - -## validate [_validate_2] +## validate [_validate] Duration of validation step based on existing TCP connection. diff --git a/docs/reference/heartbeat/exported-fields-tls.md b/docs/reference/heartbeat/exported-fields-tls.md index 62d6f11e3eb2..9ca2f3dae86c 100644 --- a/docs/reference/heartbeat/exported-fields-tls.md +++ b/docs/reference/heartbeat/exported-fields-tls.md @@ -3,41 +3,36 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields-tls.html --- +% This file is generated! See scripts/generate_fields_docs.py + # TLS encryption layer fields [exported-fields-tls] None - -## tls [_tls_2] +## tls [_tls] TLS layer related fields. **`tls.certificate_not_valid_before`** -: :::{admonition} Deprecated in 7.8.0 - Deprecated in favor of `tls.server.x509.not_before`. - ::: +: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. -Earliest time at which the connection’s certificates are valid. +{applies_to}`product: deprecated 7.8.0` type: date **`tls.certificate_not_valid_after`** -: :::{admonition} Deprecated in 7.8.0 - Deprecated in favor of `tls.server.x509.not_after`. - ::: +: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. -Latest time at which the connection’s certificates are valid. +{applies_to}`product: deprecated 7.8.0` type: date - -## rtt [_rtt_6] +## rtt [_rtt] TLS layer round trip times. - ## handshake [_handshake] Time required to finish TLS handshake based on already available network connection. @@ -48,8 +43,7 @@ Time required to finish TLS handshake based on already available network connect type: long - -## server [_server_2] +## server [_server] Detailed x509 certificate metadata diff --git a/docs/reference/heartbeat/exported-fields.md b/docs/reference/heartbeat/exported-fields.md index f6d149c41ed4..aa8132964fee 100644 --- a/docs/reference/heartbeat/exported-fields.md +++ b/docs/reference/heartbeat/exported-fields.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/heartbeat/current/exported-fields.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Exported fields [exported-fields] This document describes the fields that are exported by Heartbeat. They are grouped in the following categories: @@ -27,4 +29,3 @@ This document describes the fields that are exported by Heartbeat. They are grou * [*Synthetics types fields*](/reference/heartbeat/exported-fields-synthetics.md) * [*TCP layer fields*](/reference/heartbeat/exported-fields-tcp.md) * [*TLS encryption layer fields*](/reference/heartbeat/exported-fields-tls.md) - diff --git a/docs/reference/metricbeat/exported-fields-activemq.md b/docs/reference/metricbeat/exported-fields-activemq.md index 6314fea4f7b6..41d8f488d455 100644 --- a/docs/reference/metricbeat/exported-fields-activemq.md +++ b/docs/reference/metricbeat/exported-fields-activemq.md @@ -3,14 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-activemq.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ActiveMQ fields [exported-fields-activemq] activemq module - ## activemq [_activemq] + ## broker [_broker] Broker metrics from org.apache.activemq:brokerName=*,type=Broker @@ -87,10 +89,9 @@ type: long type: long +## queue [_queue] -## queue [_queue_7] - -Queue metrics from org.apache.activemq:brokerName=**,destinationName=**,destinationType=Queue,type=Broker +Queue metrics from org.apache.activemq:brokerName=*,destinationName=*,destinationType=Queue,type=Broker **`activemq.queue.mbean`** : Mbean that this event is related to @@ -184,10 +185,9 @@ type: long type: long - ## topic [_topic] -Topic metrics from org.apache.activemq:brokerName=**,destinationName=**,destinationType=Topic,type=Broker +Topic metrics from org.apache.activemq:brokerName=*,destinationName=*,destinationType=Topic,type=Broker **`activemq.topic.mbean`** : Mbean that this event is related to diff --git a/docs/reference/metricbeat/exported-fields-aerospike.md b/docs/reference/metricbeat/exported-fields-aerospike.md index 76252fa9a4cd..32f703876adf 100644 --- a/docs/reference/metricbeat/exported-fields-aerospike.md +++ b/docs/reference/metricbeat/exported-fields-aerospike.md @@ -3,24 +3,24 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-aerospike.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Aerospike fields [exported-fields-aerospike] Aerospike module - ## aerospike [_aerospike] + ## namespace [_namespace] namespace - ## client [_client] Client stats. - ## delete [_delete] Client delete transactions stats. @@ -49,7 +49,6 @@ type: long type: long - ## read [_read] Client read transactions stats. @@ -78,7 +77,6 @@ type: long type: long - ## write [_write] Client write transactions stats. @@ -101,7 +99,6 @@ type: long type: long - ## device [_device] Disk storage stats @@ -139,13 +136,12 @@ format: bytes **`aerospike.namespace.hwm_breached`** -: If true, Aerospike has breached *high-water-[disk|memory]-pct* for this namespace. +: If true, Aerospike has breached 'high-water-[disk|memory]-pct' for this namespace. type: boolean - -## memory [_memory_2] +## memory [_memory] Memory storage stats. @@ -207,7 +203,6 @@ type: keyword type: keyword - ## objects [_objects] Records stats. diff --git a/docs/reference/metricbeat/exported-fields-airflow.md b/docs/reference/metricbeat/exported-fields-airflow.md index 6c2365248a42..9025d21ec49c 100644 --- a/docs/reference/metricbeat/exported-fields-airflow.md +++ b/docs/reference/metricbeat/exported-fields-airflow.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-airflow.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Airflow fields [exported-fields-airflow] Airflow module diff --git a/docs/reference/metricbeat/exported-fields-apache.md b/docs/reference/metricbeat/exported-fields-apache.md index 9b43c1d93f38..8e3c673bb951 100644 --- a/docs/reference/metricbeat/exported-fields-apache.md +++ b/docs/reference/metricbeat/exported-fields-apache.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-apache.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Apache fields [exported-fields-apache] Apache HTTPD server metricsets collected from the Apache web server. - ## apache [_apache] `apache` contains the metrics that were scraped from Apache. - ## status [_status] `status` contains the metrics that were scraped from the Apache status page. @@ -65,8 +65,7 @@ type: long type: long - -## uptime [_uptime_2] +## uptime [_uptime] Uptime stats. @@ -82,8 +81,7 @@ type: long type: long - -## cpu [_cpu_2] +## cpu [_cpu] CPU stats. @@ -117,7 +115,6 @@ type: scaled_float type: scaled_float - ## connections [_connections] Connection stats. @@ -146,8 +143,7 @@ type: long type: long - -## load [_load_2] +## load [_load] Load averages. @@ -169,7 +165,6 @@ type: scaled_float type: scaled_float - ## scoreboard [_scoreboard] Scoreboard metrics. diff --git a/docs/reference/metricbeat/exported-fields-autoops_es.md b/docs/reference/metricbeat/exported-fields-autoops_es.md new file mode 100644 index 000000000000..e0f626c60cfb --- /dev/null +++ b/docs/reference/metricbeat/exported-fields-autoops_es.md @@ -0,0 +1,1229 @@ +--- +mapped_pages: + - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-autoops_es.html +--- + +% This file is generated! See scripts/generate_fields_docs.py + +# AutoOps ES fields [exported-fields-autoops_es] + +AutoOps Elasticsearch module + +## autoops_es [_autoops_es] + + + +## cat_shards [_cat_shards] + +cat shards information from the cluster + +**`autoops_es.cat_shards.ip`** +: Shard id + +type: keyword + + +**`autoops_es.cat_shards.index`** +: Shard index + +type: keyword + + +**`autoops_es.cat_shards.shard`** +: Shard number + +type: keyword + + +**`autoops_es.cat_shards.prirep`** +: Primary / Replica shard + +type: keyword + + +**`autoops_es.cat_shards.state`** +: State of the shard + +type: keyword + + +**`autoops_es.cat_shards.docs`** +: Docs count + +type: long + + +**`autoops_es.cat_shards.store`** +: Shard size in bytes + +type: long + + +**`autoops_es.cat_shards.segments_count`** +: Shard segments count + +type: long + + +**`autoops_es.cat_shards.search_query_total`** +: Shard search count + +type: long + + +**`autoops_es.cat_shards.search_query_time`** +: Shard search time in millis + +type: long + + +**`autoops_es.cat_shards.indexing_index_total`** +: Shard indexing total + +type: long + + +**`autoops_es.cat_shards.indexing_index_time`** +: Shard indexing time + +type: long + + +**`autoops_es.cat_shards.indexing_index_failed`** +: Shard indexing failed + +type: long + + +**`autoops_es.cat_shards.merges_total`** +: Shard merges total + +type: long + + +**`autoops_es.cat_shards.merges_total_size`** +: Shard merges size in bytes + +type: long + + +**`autoops_es.cat_shards.merges_total_time`** +: Shard merges time in millis + +type: long + + +## cat_template [_cat_template] + +tasks information from the cluster + +**`autoops_es.cat_template.index`** +: index name + +type: keyword + + +**`autoops_es.cat_template.managed`** +: indicate whether this index is ilm managed + +type: boolean + + +**`autoops_es.cat_template.policy`** +: policy name + +type: keyword + + +**`autoops_es.cat_template.lifecycle_date_millis`** +: lifecycle date in epoch millis + +type: long + + +**`autoops_es.cat_template.lifecycle_date`** +: lifecycle date + +type: date + + +**`autoops_es.cat_template.phase`** +: phase stage + +type: keyword + + +**`autoops_es.cat_template.phase_time_millis`** +: phase time in millis + +type: long + + +**`autoops_es.cat_template.phase_time`** +: phase time + +type: date + + +**`autoops_es.cat_template.action`** +: action name + +type: keyword + + +## cluster_health [_cluster_health] + +cluster health metrics + +**`autoops_es.cluster_health.cluster_name`** +: The cluster name + +type: keyword + + +**`autoops_es.cluster_health.status`** +: The cluster status + +type: keyword + + +**`autoops_es.cluster_health.timed_out`** +: Whether the call for status was timed out + +type: keyword + + +**`autoops_es.cluster_health.number_of_nodes`** +: Number of nodes on cluster + +type: long + + +**`autoops_es.cluster_health.number_of_data_nodes`** +: The number of data nodes + +type: long + + +**`autoops_es.cluster_health.active_primary_shards`** +: The number of active primary shards + +type: long + + +**`autoops_es.cluster_health.active_shards`** +: The number of active shards + +type: long + + +**`autoops_es.cluster_health.relocating_shards`** +: The number of relocating shards + +type: long + + +**`autoops_es.cluster_health.initializing_shards`** +: The number of initializing shards + +type: long + + +**`autoops_es.cluster_health.unassigned_shards`** +: The number of unassigned shards + +type: long + + +**`autoops_es.cluster_health.delayed_unassigned_shards`** +: The delayed unassigned shards + +type: long + + +**`autoops_es.cluster_health.number_of_pending_tasks`** +: The number of pending tasks + +type: long + + +**`autoops_es.cluster_health.number_of_in_flight_fetch`** +: The number of in flight_fetch + +type: long + + +**`autoops_es.cluster_health.task_max_waiting_in_queue_millis`** +: The task max waiting in queue millis + +type: long + + +**`autoops_es.cluster_health.active_shards_percent_as_number`** +: The active shards percent as number + +type: long + + +## cluster_settings [_cluster_settings] + +cluster_settings + +## defaults [_defaults] + +default settings + +## discovery [_discovery] + +discovery settings + +## zen [_zen] + +zen discovery settings + +**`autoops_es.cluster_settings.defaults.discovery.zen.minimum_master_nodes`** +: minimum_master_nodes + +type: keyword + + +## cluster [_cluster] + +cluster settings + +**`autoops_es.cluster_settings.defaults.cluster.max_shards_per_node`** +: max_shards_per_node + +type: keyword + + +## routing [_routing] + +routing settings + +## allocation [_allocation] + +allocation settings + +## disk [_disk] + +disk settings + +## watermark [_watermark] + +watermark settings + +**`autoops_es.cluster_settings.defaults.cluster.routing.allocation.disk.watermark.low`** +: low watermark settings + +type: keyword + + +**`autoops_es.cluster_settings.defaults.cluster.routing.allocation.disk.watermark.high`** +: high watermark settings + +type: keyword + + +**`autoops_es.cluster_settings.defaults.cluster.routing.allocation.disk.watermark.flood_stage`** +: flood_stage watermark settings + +type: keyword + + +**`autoops_es.cluster_settings.defaults.cluster.routing.allocation.node_concurrent_outgoing_recoveries`** +: node_concurrent_outgoing_recoveries + +type: keyword + + +**`autoops_es.cluster_settings.defaults.cluster.routing.allocation.cluster_concurrent_rebalance`** +: cluster_concurrent_rebalance + +type: keyword + + +**`autoops_es.cluster_settings.defaults.cluster.routing.allocation.node_concurrent_recoveries`** +: node_concurrent_recoveries + +type: keyword + + +**`autoops_es.cluster_settings.defaults.cluster.routing.allocation.total_shards_per_node`** +: total_shards_per_node + +type: keyword + + +## blocks [_blocks] + +blocks settings + +**`autoops_es.cluster_settings.defaults.cluster.blocks.read_only`** +: read_only settings + +type: keyword + + +**`autoops_es.cluster_settings.defaults.cluster.blocks.create_index`** +: create_index settings + +type: keyword + + +**`autoops_es.cluster_settings.defaults.cluster.blocks.read_only_allow_delete`** +: read_only_allow_delete settings + +type: keyword + + +## bootstrap [_bootstrap] + +bootstrap settings + +**`autoops_es.cluster_settings.defaults.bootstrap.memory_lock`** +: memory_lock settings + +type: keyword + + +## search [_search] + +search settings + +**`autoops_es.cluster_settings.defaults.search.default_search_timeout`** +: default_search_timeout + +type: keyword + + +**`autoops_es.cluster_settings.defaults.search.max_buckets`** +: max_buckets + +type: keyword + + +## indices [_indices] + +indices settings + +## recovery [_recovery] + +recovery settings + +**`autoops_es.cluster_settings.defaults.indices.recovery.max_bytes_per_sec`** +: max_bytes_per_sec settings + +type: keyword + + +## breaker [_breaker] + +breaker settings + +## request [_request] + +request breaker settings + +**`autoops_es.cluster_settings.defaults.indices.breaker.request.limit`** +: limit settings + +type: keyword + + +## total [_total] + +total breaker settings + +**`autoops_es.cluster_settings.defaults.indices.breaker.total.limit`** +: limit settings + +type: keyword + + +## query [_query] + +query settings + +## query_string [_query_string] + +query_string settings + +**`autoops_es.cluster_settings.defaults.indices.query.query_string.allowLeadingWildcard`** +: allowLeadingWildcard settings + +type: keyword + + +## action [_action] + +action settings + +**`autoops_es.cluster_settings.defaults.action.destructive_requires_name`** +: destructive_requires_name settings + +type: keyword + + +## persistent [_persistent] + +persistent settings + +## discovery [_discovery] + +discovery settings + +## zen [_zen] + +zen discovery settings + +**`autoops_es.cluster_settings.persistent.discovery.zen.minimum_master_nodes`** +: minimum_master_nodes + +type: keyword + + +## cluster [_cluster] + +cluster settings + +**`autoops_es.cluster_settings.persistent.cluster.max_shards_per_node`** +: max_shards_per_node + +type: keyword + + +## routing [_routing] + +routing settings + +## allocation [_allocation] + +allocation settings + +## disk [_disk] + +disk settings + +## watermark [_watermark] + +watermark settings + +**`autoops_es.cluster_settings.persistent.cluster.routing.allocation.disk.watermark.low`** +: low watermark settings + +type: keyword + + +**`autoops_es.cluster_settings.persistent.cluster.routing.allocation.disk.watermark.high`** +: high watermark settings + +type: keyword + + +**`autoops_es.cluster_settings.persistent.cluster.routing.allocation.disk.watermark.flood_stage`** +: flood_stage watermark settings + +type: keyword + + +**`autoops_es.cluster_settings.persistent.cluster.routing.allocation.node_concurrent_outgoing_recoveries`** +: node_concurrent_outgoing_recoveries + +type: keyword + + +**`autoops_es.cluster_settings.persistent.cluster.routing.allocation.cluster_concurrent_rebalance`** +: cluster_concurrent_rebalance + +type: keyword + + +**`autoops_es.cluster_settings.persistent.cluster.routing.allocation.node_concurrent_recoveries`** +: node_concurrent_recoveries + +type: keyword + + +**`autoops_es.cluster_settings.persistent.cluster.routing.allocation.total_shards_per_node`** +: total_shards_per_node + +type: keyword + + +## blocks [_blocks] + +blocks settings + +**`autoops_es.cluster_settings.persistent.cluster.blocks.read_only`** +: read_only settings + +type: keyword + + +**`autoops_es.cluster_settings.persistent.cluster.blocks.create_index`** +: create_index settings + +type: keyword + + +**`autoops_es.cluster_settings.persistent.cluster.blocks.read_only_allow_delete`** +: read_only_allow_delete settings + +type: keyword + + +## bootstrap [_bootstrap] + +bootstrap settings + +**`autoops_es.cluster_settings.persistent.bootstrap.memory_lock`** +: memory_lock settings + +type: keyword + + +## search [_search] + +search settings + +**`autoops_es.cluster_settings.persistent.search.default_search_timeout`** +: default_search_timeout + +type: keyword + + +**`autoops_es.cluster_settings.persistent.search.max_buckets`** +: max_buckets + +type: keyword + + +## indices [_indices] + +indices settings + +## recovery [_recovery] + +recovery settings + +**`autoops_es.cluster_settings.persistent.indices.recovery.max_bytes_per_sec`** +: max_bytes_per_sec settings + +type: keyword + + +## breaker [_breaker] + +breaker settings + +## request [_request] + +request breaker settings + +**`autoops_es.cluster_settings.persistent.indices.breaker.request.limit`** +: limit settings + +type: keyword + + +## total [_total] + +total breaker settings + +**`autoops_es.cluster_settings.persistent.indices.breaker.total.limit`** +: limit settings + +type: keyword + + +## query [_query] + +query settings + +## query_string [_query_string] + +query_string settings + +**`autoops_es.cluster_settings.persistent.indices.query.query_string.allowLeadingWildcard`** +: allowLeadingWildcard settings + +type: keyword + + +## action [_action] + +action settings + +**`autoops_es.cluster_settings.persistent.action.destructive_requires_name`** +: destructive_requires_name settings + +type: keyword + + +## transient [_transient] + +transient settings + +## discovery [_discovery] + +discovery settings + +## zen [_zen] + +zen discovery settings + +**`autoops_es.cluster_settings.transient.discovery.zen.minimum_master_nodes`** +: minimum_master_nodes + +type: keyword + + +## cluster [_cluster] + +cluster settings + +**`autoops_es.cluster_settings.transient.cluster.max_shards_per_node`** +: max_shards_per_node + +type: keyword + + +## routing [_routing] + +routing settings + +## allocation [_allocation] + +allocation settings + +## disk [_disk] + +disk settings + +## watermark [_watermark] + +watermark settings + +**`autoops_es.cluster_settings.transient.cluster.routing.allocation.disk.watermark.low`** +: low watermark settings + +type: keyword + + +**`autoops_es.cluster_settings.transient.cluster.routing.allocation.disk.watermark.high`** +: high watermark settings + +type: keyword + + +**`autoops_es.cluster_settings.transient.cluster.routing.allocation.disk.watermark.flood_stage`** +: flood_stage watermark settings + +type: keyword + + +**`autoops_es.cluster_settings.transient.cluster.routing.allocation.node_concurrent_outgoing_recoveries`** +: node_concurrent_outgoing_recoveries + +type: keyword + + +**`autoops_es.cluster_settings.transient.cluster.routing.allocation.cluster_concurrent_rebalance`** +: cluster_concurrent_rebalance + +type: keyword + + +**`autoops_es.cluster_settings.transient.cluster.routing.allocation.node_concurrent_recoveries`** +: node_concurrent_recoveries + +type: keyword + + +**`autoops_es.cluster_settings.transient.cluster.routing.allocation.total_shards_per_node`** +: total_shards_per_node + +type: keyword + + +## blocks [_blocks] + +blocks settings + +**`autoops_es.cluster_settings.transient.cluster.blocks.read_only`** +: read_only settings + +type: keyword + + +**`autoops_es.cluster_settings.transient.cluster.blocks.create_index`** +: create_index settings + +type: keyword + + +**`autoops_es.cluster_settings.transient.cluster.blocks.read_only_allow_delete`** +: read_only_allow_delete settings + +type: keyword + + +## bootstrap [_bootstrap] + +bootstrap settings + +**`autoops_es.cluster_settings.transient.bootstrap.memory_lock`** +: memory_lock settings + +type: keyword + + +## search [_search] + +search settings + +**`autoops_es.cluster_settings.transient.search.default_search_timeout`** +: default_search_timeout + +type: keyword + + +**`autoops_es.cluster_settings.transient.search.max_buckets`** +: max_buckets + +type: keyword + + +## indices [_indices] + +indices settings + +## recovery [_recovery] + +recovery settings + +**`autoops_es.cluster_settings.transient.indices.recovery.max_bytes_per_sec`** +: max_bytes_per_sec settings + +type: keyword + + +## breaker [_breaker] + +breaker settings + +## request [_request] + +request breaker settings + +**`autoops_es.cluster_settings.transient.indices.breaker.request.limit`** +: limit settings + +type: keyword + + +## total [_total] + +total breaker settings + +**`autoops_es.cluster_settings.transient.indices.breaker.total.limit`** +: limit settings + +type: keyword + + +## query [_query] + +query settings + +## query_string [_query_string] + +query_string settings + +**`autoops_es.cluster_settings.transient.indices.query.query_string.allowLeadingWildcard`** +: allowLeadingWildcard settings + +type: keyword + + +## action [_action] + +action settings + +**`autoops_es.cluster_settings.transient.action.destructive_requires_name`** +: destructive_requires_name settings + +type: keyword + + +## component_template [_component_template] + +component template information from the cluster + +**`autoops_es.component_template.index`** +: index name + +type: keyword + + +**`autoops_es.component_template.managed`** +: indicate whether this index is ilm managed + +type: boolean + + +**`autoops_es.component_template.policy`** +: policy name + +type: keyword + + +**`autoops_es.component_template.lifecycle_date_millis`** +: lifecycle date in epoch millis + +type: long + + +**`autoops_es.component_template.lifecycle_date`** +: lifecycle date + +type: date + + +**`autoops_es.component_template.phase`** +: phase stage + +type: keyword + + +**`autoops_es.component_template.phase_time_millis`** +: phase time in millis + +type: long + + +**`autoops_es.component_template.phase_time`** +: phase time + +type: date + + +**`autoops_es.component_template.action`** +: action name + +type: keyword + + +## index_template [_index_template] + +index templates from the cluster + +**`autoops_es.index_template.index`** +: index name + +type: keyword + + +**`autoops_es.index_template.managed`** +: indicate whether this index is ilm managed + +type: boolean + + +**`autoops_es.index_template.policy`** +: policy name + +type: keyword + + +**`autoops_es.index_template.lifecycle_date_millis`** +: lifecycle date in epoch millis + +type: long + + +**`autoops_es.index_template.lifecycle_date`** +: lifecycle date + +type: date + + +**`autoops_es.index_template.phase`** +: phase stage + +type: keyword + + +**`autoops_es.index_template.phase_time_millis`** +: phase time in millis + +type: long + + +**`autoops_es.index_template.phase_time`** +: phase time + +type: date + + +**`autoops_es.index_template.action`** +: action name + +type: keyword + + +## node.stats [_node.stats] + +node_stats + +## indices [_indices] + +Node indices stats + +**`autoops_es.node.stats.indices.docs.count`** +: Total number of existing documents. + +type: long + + +**`autoops_es.node.stats.indices.docs.deleted`** +: Total number of deleted documents. + +type: long + + +**`autoops_es.node.stats.indices.segments.count`** +: Total number of segments. + +type: long + + +**`autoops_es.node.stats.indices.segments.memory.bytes`** +: Total size of segments in bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.indices.store.size.bytes`** +: Total size of the store in bytes. + +type: long + + +## jvm.mem.pools [_jvm.mem.pools] + +JVM memory pool stats + +## old [_old] + +Old memory pool stats. + +**`autoops_es.node.stats.jvm.mem.pools.old.max.bytes`** +: Max bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.jvm.mem.pools.old.peak.bytes`** +: Peak bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.jvm.mem.pools.old.peak_max.bytes`** +: Peak max bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.jvm.mem.pools.old.used.bytes`** +: Used bytes. + +type: long + +format: bytes + + +## young [_young] + +Young memory pool stats. + +**`autoops_es.node.stats.jvm.mem.pools.young.max.bytes`** +: Max bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.jvm.mem.pools.young.peak.bytes`** +: Peak bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.jvm.mem.pools.young.peak_max.bytes`** +: Peak max bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.jvm.mem.pools.young.used.bytes`** +: Used bytes. + +type: long + +format: bytes + + +## survivor [_survivor] + +Survivor memory pool stats. + +**`autoops_es.node.stats.jvm.mem.pools.survivor.max.bytes`** +: Max bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.jvm.mem.pools.survivor.peak.bytes`** +: Peak bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.jvm.mem.pools.survivor.peak_max.bytes`** +: Peak max bytes. + +type: long + +format: bytes + + +**`autoops_es.node.stats.jvm.mem.pools.survivor.used.bytes`** +: Used bytes. + +type: long + +format: bytes + + +## jvm.gc.collectors [_jvm.gc.collectors] + +GC collector stats. + +## old.collection [_old.collection] + +Old collection gc. + +**`autoops_es.node.stats.jvm.gc.collectors.old.collection.count`** +: type: long + + +**`autoops_es.node.stats.jvm.gc.collectors.old.collection.ms`** +: type: long + + +## young.collection [_young.collection] + +Young collection gc. + +**`autoops_es.node.stats.jvm.gc.collectors.young.collection.count`** +: type: long + + +**`autoops_es.node.stats.jvm.gc.collectors.young.collection.ms`** +: type: long + + +## fs.summary [_fs.summary] + +File system summary + +**`autoops_es.node.stats.fs.summary.total.bytes`** +: type: long + +format: bytes + + +**`autoops_es.node.stats.fs.summary.free.bytes`** +: type: long + +format: bytes + + +**`autoops_es.node.stats.fs.summary.available.bytes`** +: type: long + +format: bytes + + +## tasks_management [_tasks_management] + +tasks information from cluster + +**`autoops_es.tasks_management.taskId`** +: task full id + +type: keyword + + +**`autoops_es.tasks_management.id`** +: task internal node id + +type: integer + + +**`autoops_es.tasks_management.node`** +: node id + +type: keyword + + +**`autoops_es.tasks_management.taskType`** +: task type + +type: keyword + + +**`autoops_es.tasks_management.action`** +: task action + +type: keyword + + +**`autoops_es.tasks_management.startTimeInMillis`** +: task start time in millis + +type: long + + +**`autoops_es.tasks_management.runningTimeInNanos`** +: task running time in nanos + +type: long + + +**`autoops_es.tasks_management.parentTaskId`** +: task parent id + +type: keyword + + diff --git a/docs/reference/metricbeat/exported-fields-aws.md b/docs/reference/metricbeat/exported-fields-aws.md index 4c262d9eba84..499d6d13916d 100644 --- a/docs/reference/metricbeat/exported-fields-aws.md +++ b/docs/reference/metricbeat/exported-fields-aws.md @@ -3,13 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-aws.html --- +% This file is generated! See scripts/generate_fields_docs.py + # AWS fields [exported-fields-aws] `aws` module collects AWS monitoring metrics from AWS Cloudwatch. - ## aws [_aws] + + **`aws.tags.*`** : Tag key value pairs from aws resources. @@ -46,7 +49,6 @@ type: keyword type: keyword - ## awshealth [_awshealth] AWS Health metrics @@ -177,8 +179,7 @@ type: keyword type: keyword - -## billing [_billing_4] +## billing [_billing] `billing` contains the estimated charges for your AWS account in Cloudwatch. @@ -290,8 +291,7 @@ type: keyword type: object - -## cloudwatch [_cloudwatch_2] +## cloudwatch [_cloudwatch] `cloudwatch` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by different namespaces. @@ -301,8 +301,7 @@ type: object type: keyword - -## dynamodb [_dynamodb_2] +## dynamodb [_dynamodb] `dynamodb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS DynamoDB. @@ -468,8 +467,7 @@ type: double type: double - -## ebs [_ebs_2] +## ebs [_ebs] `ebs` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS EBS. @@ -539,8 +537,7 @@ type: double type: double - -## ec2 [_ec2_2] +## ec2 [_ec2] `ec2` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS EC2. @@ -756,8 +753,7 @@ type: keyword type: integer - -## elb [_elb_2] +## elb [_elb] `elb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS ELB. @@ -863,7 +859,6 @@ type: double type: double - ## applicationelb [_applicationelb] `applicationelb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS ApplicationELB. @@ -893,7 +888,7 @@ type: long **`aws.applicationelb.metrics.HTTP_Redirect_Url_Limit_Exceeded_Count.sum`** -: The number of redirect actions that couldn’t be completed because the URL in the response location header is larger than 8K. +: The number of redirect actions that couldn't be completed because the URL in the response location header is larger than 8K. type: long @@ -1000,7 +995,6 @@ type: long type: long - ## networkelb [_networkelb] `networkelb` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS NetworkELB. @@ -1101,7 +1095,6 @@ type: long type: long - ## kinesis [_kinesis] `kinesis` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by Amazon Kinesis. @@ -1245,7 +1238,7 @@ type: long **`aws.kinesis.metrics.SubscribeToShardEvent_Success.avg`** -: This metric is emitted every time an event is published successfully. It is only emitted when there’s an active subscription. +: This metric is emitted every time an event is published successfully. It is only emitted when there's an active subscription. type: long @@ -1256,8 +1249,7 @@ type: long type: long - -## lambda [_lambda_2] +## lambda [_lambda] `lambda` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS Lambda. @@ -1310,7 +1302,7 @@ type: double **`aws.lambda.metrics.UnreservedConcurrentExecutions.avg`** -: For an AWS Region, the number of events that are being processed by functions that don’t have reserved concurrency. +: For an AWS Region, the number of events that are being processed by functions that don't have reserved concurrency. type: double @@ -1339,8 +1331,7 @@ type: long type: long - -## natgateway [_natgateway_2] +## natgateway [_natgateway] `natgateway` contains the metrics from Cloudwatch to track usage of NAT gateway related resources. @@ -1428,8 +1419,7 @@ type: long type: long - -## rds [_rds_2] +## rds [_rds] `rds` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS RDS. @@ -1876,7 +1866,7 @@ type: long **`aws.rds.storage_used.backup_retention_period.bytes`** -: The total amount of backup storage in bytes used to support the point-in-time restore feature within the Aurora DB cluster’s backup retention window. +: The total amount of backup storage in bytes used to support the point-in-time restore feature within the Aurora DB cluster's backup retention window. type: long @@ -1923,8 +1913,7 @@ type: long type: long - -## s3_daily_storage [_s3_daily_storage_2] +## s3_daily_storage [_s3_daily_storage] `s3_daily_storage` contains the daily storage metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3. @@ -1942,8 +1931,7 @@ format: bytes type: long - -## s3_request [_s3_request_2] +## s3_request [_s3_request] `s3_request` contains request metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3. @@ -2055,7 +2043,6 @@ type: long format: duration - ## sns [_sns] `sns` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS SNS. @@ -2115,7 +2102,7 @@ type: long **`aws.sns.metrics.NumberOfNotificationsFailedToRedriveToDlq.sum`** -: The number of messages that couldn’t be moved to a dead-letter queue. +: The number of messages that couldn't be moved to a dead-letter queue. type: long @@ -2126,8 +2113,7 @@ type: long type: long - -## sqs [_sqs_2] +## sqs [_sqs] `sqs` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS SQS. @@ -2195,8 +2181,7 @@ format: bytes type: keyword - -## transitgateway [_transitgateway_2] +## transitgateway [_transitgateway] `transitgateway` contains the metrics from Cloudwatch to track usage of transit gateway related resources. @@ -2248,8 +2233,7 @@ type: long type: long - -## usage [_usage_10] +## usage [_usage] `usage` contains the metrics from Cloudwatch to track usage of some AWS resources. @@ -2265,8 +2249,7 @@ type: long type: long - -## vpn [_vpn_2] +## vpn [_vpn] `vpn` contains the metrics from Cloudwatch to track usage of VPN related resources. diff --git a/docs/reference/metricbeat/exported-fields-awsfargate.md b/docs/reference/metricbeat/exported-fields-awsfargate.md index 43dbaa1ce148..c4faa9a51d09 100644 --- a/docs/reference/metricbeat/exported-fields-awsfargate.md +++ b/docs/reference/metricbeat/exported-fields-awsfargate.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-awsfargate.html --- +% This file is generated! See scripts/generate_fields_docs.py + # AWS Fargate fields [exported-fields-awsfargate] `awsfargate` module collects AWS fargate metrics from task metadata endpoint. @@ -37,8 +39,7 @@ type: keyword type: keyword - -## task_stats [_task_stats_2] +## task_stats [_task_stats] `task_stats` contains the metrics that were scraped from AWS fargate task stats ${ECS_CONTAINER_METADATA_URI_V4}/task/stats metadata endpoint. @@ -55,7 +56,7 @@ type: keyword **`awsfargate.task_stats.identifier`** -: Container identifier across tasks and clusters, which equals to container.name + */* + container.id. +: Container identifier across tasks and clusters, which equals to container.name + '/' + container.id. type: keyword @@ -78,8 +79,7 @@ type: keyword type: scaled_float - -## cpu [_cpu_3] +## cpu [_cpu] Runtime CPU metrics. @@ -165,13 +165,11 @@ type: scaled_float format: percent - -## diskio [_diskio_2] +## diskio [_diskio] Disk I/O metrics. - -## read [_read_2] +## read [_read] Accumulated reads during the life of the container @@ -214,17 +212,14 @@ type: long **`awsfargate.task_stats.diskio.reads`** -: :::{admonition} Deprecated in 6.4 - The `awsfargate.task_stats.diskio.reads` field was deprecated in 6.4. - ::: +: Number of current reads per second -Number of current reads per second +{applies_to}`product: deprecated 6.4` type: scaled_float - -## write [_write_2] +## write [_write] Accumulated writes during the life of the container @@ -267,16 +262,13 @@ type: long **`awsfargate.task_stats.diskio.writes`** -: :::{admonition} Deprecated in 6.4 - The `awsfargate.task_stats.diskio.writes` field was deprecated in 6.4. - ::: +: Number of current writes per second -Number of current writes per second +{applies_to}`product: deprecated 6.4` type: scaled_float - ## summary [_summary] Accumulated reads and writes during the life of the container @@ -320,17 +312,14 @@ type: long **`awsfargate.task_stats.diskio.total`** -: :::{admonition} Deprecated in 6.4 - The `aawsfargate.task_stats.diskio.total` field was deprecated in 6.4. - ::: +: Number of reads and writes per second -Number of reads and writes per second +{applies_to}`product: deprecated 6.4` type: scaled_float - -## memory [_memory_3] +## memory [_memory] Memory metrics. @@ -340,7 +329,6 @@ Memory metrics. type: object - ## commit [_commit] Committed bytes on Windows @@ -383,7 +371,6 @@ type: long format: bytes - ## rss [_rss] RSS memory stats. @@ -404,8 +391,7 @@ type: scaled_float format: percent - -## usage [_usage_11] +## usage [_usage] Usage memory stats. diff --git a/docs/reference/metricbeat/exported-fields-azure.md b/docs/reference/metricbeat/exported-fields-azure.md index 4f3249593743..80d25b2a1036 100644 --- a/docs/reference/metricbeat/exported-fields-azure.md +++ b/docs/reference/metricbeat/exported-fields-azure.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-azure.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Azure fields [exported-fields-azure] azure module @@ -13,7 +15,6 @@ azure module type: keyword - ## resource [_resource] The resource specified @@ -78,8 +79,7 @@ type: object type: object - -## app_insights [_app_insights_2] +## app_insights [_app_insights] application insights @@ -101,8 +101,7 @@ type: date type: object - -## app_state [_app_state_2] +## app_state [_app_state] application state @@ -226,8 +225,7 @@ type: float type: float - -## billing [_billing_5] +## billing [_billing] billing and usage details @@ -351,8 +349,7 @@ type: object type: object - -## monitor [_monitor_2] +## monitor [_monitor] monitor diff --git a/docs/reference/metricbeat/exported-fields-beat-common.md b/docs/reference/metricbeat/exported-fields-beat-common.md index d09edf82cab3..d2e48ecc760e 100644 --- a/docs/reference/metricbeat/exported-fields-beat-common.md +++ b/docs/reference/metricbeat/exported-fields-beat-common.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-beat-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Beat fields [exported-fields-beat-common] Contains common beat fields available in all event types. diff --git a/docs/reference/metricbeat/exported-fields-beat.md b/docs/reference/metricbeat/exported-fields-beat.md index e865338da5ca..61230a6b8248 100644 --- a/docs/reference/metricbeat/exported-fields-beat.md +++ b/docs/reference/metricbeat/exported-fields-beat.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-beat.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Beat fields [exported-fields-beat] Beat module @@ -691,6 +693,60 @@ alias to: beat.stats.apm_server.root.response.valid.ok alias to: beat.stats.apm_server.root.unset +**`beats_stats.apm-server.sampling.tail.dynamic_service_groups`** +: type: alias + +alias to: beat.stats.apm_server.sampling.tail.dynamic_service_groups + + +**`beats_stats.apm-server.sampling.tail.events.dropped`** +: type: alias + +alias to: beat.stats.apm_server.sampling.tail.events.dropped + + +**`beats_stats.apm-server.sampling.tail.events.failed_writes`** +: type: alias + +alias to: beat.stats.apm_server.sampling.tail.events.failed_writes + + +**`beats_stats.apm-server.sampling.tail.events.head_unsampled`** +: type: alias + +alias to: beat.stats.apm_server.sampling.tail.events.head_unsampled + + +**`beats_stats.apm-server.sampling.tail.events.processed`** +: type: alias + +alias to: beat.stats.apm_server.sampling.tail.events.processed + + +**`beats_stats.apm-server.sampling.tail.events.sampled`** +: type: alias + +alias to: beat.stats.apm_server.sampling.tail.events.sampled + + +**`beats_stats.apm-server.sampling.tail.events.stored`** +: type: alias + +alias to: beat.stats.apm_server.sampling.tail.events.stored + + +**`beats_stats.apm-server.sampling.tail.storage.lsm_size`** +: type: alias + +alias to: beat.stats.apm_server.sampling.tail.storage.lsm_size + + +**`beats_stats.apm-server.sampling.tail.storage.value_log_size`** +: type: alias + +alias to: beat.stats.apm_server.sampling.tail.storage.value_log_size + + **`beats_stats.apm-server.sampling.transactions_dropped`** : type: alias @@ -1363,9 +1419,10 @@ alias to: beat.state.service.name alias to: beat.state.service.version - ## beat [_beat] + + **`beat.id`** : Beat ID. @@ -1382,7 +1439,6 @@ type: keyword : type: keyword - ## state [_state] Beat state @@ -1479,8 +1535,7 @@ type: keyword type: keyword - -## stats [_stats_2] +## stats [_stats] Beat stats @@ -1940,6 +1995,42 @@ Beat stats : type: long +**`beat.stats.apm_server.sampling.tail.dynamic_service_groups`** +: type: long + + +**`beat.stats.apm_server.sampling.tail.events.dropped`** +: type: long + + +**`beat.stats.apm_server.sampling.tail.events.failed_writes`** +: type: long + + +**`beat.stats.apm_server.sampling.tail.events.head_unsampled`** +: type: long + + +**`beat.stats.apm_server.sampling.tail.events.processed`** +: type: long + + +**`beat.stats.apm_server.sampling.tail.events.sampled`** +: type: long + + +**`beat.stats.apm_server.sampling.tail.events.stored`** +: type: long + + +**`beat.stats.apm_server.sampling.tail.storage.lsm_size`** +: type: long + + +**`beat.stats.apm_server.sampling.tail.storage.value_log_size`** +: type: long + + **`beat.stats.apm_server.sampling.transactions_dropped`** : type: long @@ -2220,7 +2311,6 @@ type: long type: long - ## libbeat [_libbeat] Fields common to all Beats @@ -2230,11 +2320,69 @@ Fields common to all Beats **`beat.stats.libbeat.pipeline.queue.acked`** -: type: long +: Number of acknowledged events + +type: long + + +**`beat.stats.libbeat.pipeline.queue.added.bytes`** +: Number of bytes added to the queue + +type: long + + +**`beat.stats.libbeat.pipeline.queue.added.events`** +: Number of events added to the queue + +type: long + + +**`beat.stats.libbeat.pipeline.queue.consumed.bytes`** +: Number of bytes consumed from the queue + +type: long + + +**`beat.stats.libbeat.pipeline.queue.consumed.events`** +: Number of events consumed from the queue + +type: long + + +**`beat.stats.libbeat.pipeline.queue.filled.bytes`** +: Number of bytes filled in the queue + +type: long + + +**`beat.stats.libbeat.pipeline.queue.filled.events`** +: Number of events filled in the queue + +type: long + + +**`beat.stats.libbeat.pipeline.queue.filled.pct`** +: Percentage of the queue filled + +type: float **`beat.stats.libbeat.pipeline.queue.max_events`** -: type: long +: Maximum number of events allowed in the queue + +type: long + + +**`beat.stats.libbeat.pipeline.queue.removed.bytes`** +: Number of bytes removed from the queue + +type: long + + +**`beat.stats.libbeat.pipeline.queue.removed.events`** +: Number of events removed from the queue + +type: long **`beat.stats.libbeat.pipeline.events.active`** @@ -2281,7 +2429,6 @@ Fields common to all Beats : type: long - ## output [_output] Output stats @@ -2292,7 +2439,6 @@ Output stats type: keyword - ## events [_events] Event counters @@ -2345,8 +2491,7 @@ type: long type: long - -## read [_read_3] +## read [_read] Read stats @@ -2362,8 +2507,7 @@ type: long type: long - -## write [_write_3] +## write [_write] Write stats @@ -2379,6 +2523,26 @@ type: long type: long +**`beat.stats.libbeat.output.write.latency.histogram.count`** +: type: long + + +**`beat.stats.libbeat.output.write.latency.histogram.max`** +: type: float + + +**`beat.stats.libbeat.output.write.latency.histogram.median`** +: type: long + + +**`beat.stats.libbeat.output.write.latency.histogram.p95`** +: type: float + + +**`beat.stats.libbeat.output.write.latency.histogram.p99`** +: type: float + + **`beat.stats.output.elasticsearch.bulk_requests.available`** : type: long diff --git a/docs/reference/metricbeat/exported-fields-benchmark.md b/docs/reference/metricbeat/exported-fields-benchmark.md index e13a636199a1..51c1bb640577 100644 --- a/docs/reference/metricbeat/exported-fields-benchmark.md +++ b/docs/reference/metricbeat/exported-fields-benchmark.md @@ -1,19 +1,19 @@ --- mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-benchmark.html - # That link will 404 until 8.18 is current - # (see https://www.elastic.co/guide/en/beats/metricbeat/8.18/exported-fields-benchmark.html) --- +% This file is generated! See scripts/generate_fields_docs.py + # Benchmark fields [exported-fields-benchmark] benchmark module - ## benchmark [_benchmark] -## info [_info_3] + +## info [_info] info diff --git a/docs/reference/metricbeat/exported-fields-ceph.md b/docs/reference/metricbeat/exported-fields-ceph.md index 9f0b72e29500..2231e50ce796 100644 --- a/docs/reference/metricbeat/exported-fields-ceph.md +++ b/docs/reference/metricbeat/exported-fields-ceph.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-ceph.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Ceph fields [exported-fields-ceph] Ceph module - ## ceph [_ceph] `ceph` contains the metrics that were scraped from CEPH. - ## cluster_disk [_cluster_disk] cluster_disk @@ -41,7 +41,6 @@ type: long format: bytes - ## cluster_health [_cluster_health] cluster_health @@ -70,7 +69,6 @@ type: long type: keyword - ## cluster_status [_cluster_status] cluster_status @@ -241,17 +239,14 @@ type: long type: long - ## mgr_cluster_disk [_mgr_cluster_disk] see: cluster_disk - ## mgr_cluster_health [_mgr_cluster_health] see: cluster_health - ## mgr_osd_perf [_mgr_osd_perf] OSD performance metrics of Ceph cluster @@ -286,7 +281,6 @@ type: long type: long - ## mgr_osd_pool_stats [_mgr_osd_pool_stats] OSD pool stats of Ceph cluster @@ -309,17 +303,14 @@ type: long type: object - ## mgr_osd_tree [_mgr_osd_tree] see: osd_tree - ## mgr_pool_disk [_mgr_pool_disk] see: pool_disk - ## monitor_health [_monitor_health] monitor_health stats data @@ -404,7 +395,6 @@ format: bytes type: long - ## osd_df [_osd_df] ceph osd disk usage information @@ -465,7 +455,6 @@ type: scaled_float format: percent - ## osd_tree [_osd_tree] ceph osd tree info @@ -548,7 +537,6 @@ type: keyword type: keyword - ## pool_disk [_pool_disk] pool_disk diff --git a/docs/reference/metricbeat/exported-fields-cloud.md b/docs/reference/metricbeat/exported-fields-cloud.md index be2ab5bb5ff5..5489f5ba082d 100644 --- a/docs/reference/metricbeat/exported-fields-cloud.md +++ b/docs/reference/metricbeat/exported-fields-cloud.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-cloud.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Cloud provider metadata fields [exported-fields-cloud] Metadata from cloud providers added by the add_cloud_metadata processor. diff --git a/docs/reference/metricbeat/exported-fields-cloudfoundry.md b/docs/reference/metricbeat/exported-fields-cloudfoundry.md index 201c8060a6b6..028a96d1f276 100644 --- a/docs/reference/metricbeat/exported-fields-cloudfoundry.md +++ b/docs/reference/metricbeat/exported-fields-cloudfoundry.md @@ -3,20 +3,22 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-cloudfoundry.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Cloudfoundry fields [exported-fields-cloudfoundry] Cloud Foundry module - ## cloudfoundry [_cloudfoundry] + + **`cloudfoundry.type`** -: The type of event from Cloud Foundry. Possible values include *container*, *counter* and *value*. +: The type of event from Cloud Foundry. Possible values include 'container', 'counter' and 'value'. type: keyword - ## app [_app] The application the metric is associated with. @@ -27,8 +29,7 @@ The application the metric is associated with. type: keyword - -## container [_container_2] +## container [_container] `container` contains container metrics from Cloud Foundry. @@ -68,8 +69,7 @@ type: long type: long - -## counter [_counter_2] +## counter [_counter] `counter` contains counter metrics from Cloud Foundry. @@ -91,8 +91,7 @@ type: long type: long - -## value [_value_2] +## value [_value] `value` contains counter metrics from Cloud Foundry. diff --git a/docs/reference/metricbeat/exported-fields-cockroachdb.md b/docs/reference/metricbeat/exported-fields-cockroachdb.md index 2fd3394ac80c..cb1c841efe73 100644 --- a/docs/reference/metricbeat/exported-fields-cockroachdb.md +++ b/docs/reference/metricbeat/exported-fields-cockroachdb.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-cockroachdb.html --- +% This file is generated! See scripts/generate_fields_docs.py + # CockroachDB fields [exported-fields-cockroachdb] CockroachDB module scrape metrics using Prometheus endpoint. diff --git a/docs/reference/metricbeat/exported-fields-common.md b/docs/reference/metricbeat/exported-fields-common.md index eab670f9a5b1..eb2ba30cd6da 100644 --- a/docs/reference/metricbeat/exported-fields-common.md +++ b/docs/reference/metricbeat/exported-fields-common.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Common fields [exported-fields-common] Contains common fields available in all event types. diff --git a/docs/reference/metricbeat/exported-fields-consul.md b/docs/reference/metricbeat/exported-fields-consul.md index c26855c47010..5cb0df03260d 100644 --- a/docs/reference/metricbeat/exported-fields-consul.md +++ b/docs/reference/metricbeat/exported-fields-consul.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-consul.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Consul fields [exported-fields-consul] Consul module - ## agent [_agent] Agent Metricset fetches metrics information from a Consul instance running as Agent @@ -18,7 +19,6 @@ Agent Metricset fetches metrics information from a Consul instance running as Ag type: boolean - ## runtime [_runtime] Runtime related metrics @@ -53,7 +53,6 @@ type: long type: long - ## garbage_collector [_garbage_collector] Garbage collector metrics @@ -64,7 +63,6 @@ Garbage collector metrics type: long - ## pause [_pause] Time that the garbage collector has paused the app diff --git a/docs/reference/metricbeat/exported-fields-containerd.md b/docs/reference/metricbeat/exported-fields-containerd.md index 2dae15cd7942..bbb1185005d1 100644 --- a/docs/reference/metricbeat/exported-fields-containerd.md +++ b/docs/reference/metricbeat/exported-fields-containerd.md @@ -3,14 +3,15 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-containerd.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Containerd fields [exported-fields-containerd] Containerd stats collected from containerd - ## containerd [_containerd] -Information and statistics about containerd’s running containers. +Information and statistics about containerd's running containers. **`containerd.namespace`** : Containerd namespace @@ -18,7 +19,6 @@ Information and statistics about containerd’s running containers. type: keyword - ## blkio [_blkio] Block I/O metrics. @@ -29,8 +29,7 @@ Block I/O metrics. type: keyword - -## read [_read_4] +## read [_read] Accumulated reads during the life of the container @@ -48,8 +47,7 @@ type: long format: bytes - -## write [_write_4] +## write [_write] Accumulated writes during the life of the container @@ -67,8 +65,7 @@ type: long format: bytes - -## summary [_summary_2] +## summary [_summary] Accumulated reads and writes during the life of the container @@ -86,8 +83,7 @@ type: long format: bytes - -## cpu [_cpu_4] +## cpu [_cpu] Containerd Runtime CPU metrics. @@ -145,8 +141,7 @@ format: percent type: object - -## memory [_memory_4] +## memory [_memory] memory @@ -190,8 +185,7 @@ type: long format: bytes - -## usage [_usage_12] +## usage [_usage] Usage memory stats. @@ -233,7 +227,6 @@ type: long format: bytes - ## kernel [_kernel] Kernel memory stats. @@ -268,7 +261,6 @@ type: long format: bytes - ## swap [_swap] Swap memory stats. diff --git a/docs/reference/metricbeat/exported-fields-coredns.md b/docs/reference/metricbeat/exported-fields-coredns.md index 0af9562ea21d..54622cafaf61 100644 --- a/docs/reference/metricbeat/exported-fields-coredns.md +++ b/docs/reference/metricbeat/exported-fields-coredns.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-coredns.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Coredns fields [exported-fields-coredns] coredns Module - ## coredns [_coredns] `coredns` contains statistics that were read from coreDNS - -## stats [_stats_3] +## stats [_stats] Contains statistics related to the coreDNS service diff --git a/docs/reference/metricbeat/exported-fields-couchbase.md b/docs/reference/metricbeat/exported-fields-couchbase.md index d9c1122a5f84..f93ac7059012 100644 --- a/docs/reference/metricbeat/exported-fields-couchbase.md +++ b/docs/reference/metricbeat/exported-fields-couchbase.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-couchbase.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Couchbase fields [exported-fields-couchbase] Metrics collected from Couchbase servers. - ## couchbase [_couchbase] `couchbase` contains the metrics that were scraped from Couchbase. - ## bucket [_bucket] Couchbase bucket metrics. @@ -87,7 +87,6 @@ type: double type: long - ## cluster [_cluster] Couchbase cluster metrics. @@ -206,7 +205,6 @@ type: long format: bytes - ## node [_node] Couchbase node metrics. diff --git a/docs/reference/metricbeat/exported-fields-couchdb.md b/docs/reference/metricbeat/exported-fields-couchdb.md index 08c746288edd..aa0336de5e62 100644 --- a/docs/reference/metricbeat/exported-fields-couchdb.md +++ b/docs/reference/metricbeat/exported-fields-couchdb.md @@ -3,21 +3,20 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-couchdb.html --- +% This file is generated! See scripts/generate_fields_docs.py + # CouchDB fields [exported-fields-couchdb] couchdb module - ## couchdb [_couchdb] Couchdb metrics - -## server [_server_2] +## server [_server] Contains CouchDB server stats - ## httpd [_httpd] HTTP statistics @@ -52,7 +51,6 @@ type: long type: long - ## httpd_request_methods [_httpd_request_methods] HTTP request methods @@ -93,7 +91,6 @@ type: long type: long - ## httpd_status_codes [_httpd_status_codes] HTTP status codes statistics @@ -176,8 +173,7 @@ type: long type: long - -## couchdb [_couchdb_2] +## couchdb [_couchdb] couchdb statistics diff --git a/docs/reference/metricbeat/exported-fields-docker-processor.md b/docs/reference/metricbeat/exported-fields-docker-processor.md index 4d19f0d9fc89..f97c84ccd65d 100644 --- a/docs/reference/metricbeat/exported-fields-docker-processor.md +++ b/docs/reference/metricbeat/exported-fields-docker-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-docker-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Docker fields [exported-fields-docker-processor] Docker stats collected from Docker. diff --git a/docs/reference/metricbeat/exported-fields-docker.md b/docs/reference/metricbeat/exported-fields-docker.md index 2bd2882cb2d1..249313be2736 100644 --- a/docs/reference/metricbeat/exported-fields-docker.md +++ b/docs/reference/metricbeat/exported-fields-docker.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-docker.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Docker fields [exported-fields-docker] Docker stats collected from Docker. +## docker [_docker] -## docker [_docker_4] - -Information and statistics about docker’s running containers. +Information and statistics about docker's running containers. - -## container [_container_3] +## container [_container] Docker container metrics. @@ -41,7 +41,6 @@ type: keyword type: ip - ## size [_size] Container size metrics. @@ -64,8 +63,7 @@ type: long type: keyword - -## cpu [_cpu_5] +## cpu [_cpu] Runtime CPU metrics. @@ -173,13 +171,11 @@ format: percent type: object - -## diskio [_diskio_3] +## diskio [_diskio] Disk I/O metrics. - -## read [_read_5] +## read [_read] Accumulated reads during the life of the container @@ -221,8 +217,7 @@ type: long type: long - -## write [_write_5] +## write [_write] Accumulated writes during the life of the container @@ -264,8 +259,7 @@ type: long type: long - -## summary [_summary_3] +## summary [_summary] Accumulated reads and writes during the life of the container @@ -307,7 +301,6 @@ type: long type: long - ## event [_event] Docker event @@ -342,7 +335,6 @@ type: keyword type: keyword - ## actor [_actor] Actor @@ -359,10 +351,10 @@ type: keyword type: object - ## healthcheck [_healthcheck] -Docker healthcheck metrics. Healthcheck data will only be available from docker containers where the docker `HEALTHCHECK` instruction has been used to build the docker image. +Docker healthcheck metrics. +Healthcheck data will only be available from docker containers where the docker `HEALTHCHECK` instruction has been used to build the docker image. **`docker.healthcheck.failingstreak`** : concurent failed check @@ -376,8 +368,7 @@ type: integer type: keyword - -## event [_event_2] +## event [_event] event fields. @@ -405,12 +396,10 @@ type: keyword type: integer - ## image [_image] Docker image metrics. - ## id [_id] The image layers identifier. @@ -433,8 +422,7 @@ type: keyword type: date - -## size [_size_2] +## size [_size] Image size layers. @@ -462,11 +450,9 @@ type: object type: keyword +## info [_info] -## info [_info_4] - -Info metrics based on [https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information](https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information). - +Info metrics based on https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information. ## containers [_containers] @@ -508,8 +494,7 @@ type: keyword type: long - -## memory [_memory_5] +## memory [_memory] Memory metrics. @@ -519,8 +504,7 @@ Memory metrics. type: object - -## commit [_commit_2] +## commit [_commit] Committed bytes on Windows @@ -562,8 +546,7 @@ type: long format: bytes - -## rss [_rss_2] +## rss [_rss] RSS memory stats. @@ -583,8 +566,7 @@ type: scaled_float format: percent - -## usage [_usage_13] +## usage [_usage] Usage memory stats. @@ -612,8 +594,7 @@ type: long format: bytes - -## network [_network_2] +## network [_network] Network metrics. @@ -623,7 +604,6 @@ Network metrics. type: keyword - ## in [_in] Incoming network stats per second. @@ -654,7 +634,6 @@ type: long type: long - ## out [_out] Outgoing network stats per second. @@ -685,7 +664,6 @@ type: long type: long - ## inbound [_inbound] Incoming network stats since the container started. @@ -716,7 +694,6 @@ type: long type: long - ## outbound [_outbound] Outgoing network stats since the container started. @@ -747,7 +724,6 @@ type: long type: long - ## network_summary [_network_summary] network_summary diff --git a/docs/reference/metricbeat/exported-fields-dropwizard.md b/docs/reference/metricbeat/exported-fields-dropwizard.md index 96776bec7149..95f2289be944 100644 --- a/docs/reference/metricbeat/exported-fields-dropwizard.md +++ b/docs/reference/metricbeat/exported-fields-dropwizard.md @@ -3,10 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-dropwizard.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Dropwizard fields [exported-fields-dropwizard] Stats collected from Dropwizard. - ## dropwizard [_dropwizard] + + diff --git a/docs/reference/metricbeat/exported-fields-ecs.md b/docs/reference/metricbeat/exported-fields-ecs.md index e8ea4a912485..38c113afef2e 100644 --- a/docs/reference/metricbeat/exported-fields-ecs.md +++ b/docs/reference/metricbeat/exported-fields-ecs.md @@ -3,14 +3,18 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-ecs.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ECS fields [exported-fields-ecs] -This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {{es}}. -This is an exhaustive list, and fields listed here are not necessarily used by Metricbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events. +This is an exhaustive list, and fields listed here are not necessarily used by Metricbeat. +The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. See the [ECS reference](ecs://reference/index.md) for more information. - **`@timestamp`** : Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. @@ -45,10 +49,10 @@ type: keyword example: ["production", "env2"] +## agent [_agent] -## agent [_agent_2] - -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. **`agent.build.original`** : Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. @@ -98,7 +102,6 @@ type: keyword example: 6.0.0-rc2 - ## as [_as] An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. @@ -123,10 +126,11 @@ example: Google LLC : type: match_only_text +## client [_client] -## client [_client_2] - -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`client.address`** : Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -181,7 +185,7 @@ example: Montreal **`client.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -305,7 +309,7 @@ format: string **`client.registered_domain`** -: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -321,7 +325,7 @@ example: east **`client.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -341,7 +345,7 @@ type: keyword **`client.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -404,7 +408,6 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## cloud [_cloud] Fields related to the cloud or infrastructure the events are coming from. @@ -667,7 +670,6 @@ type: keyword example: lambda - ## code_signature [_code_signature] These fields contain information about binary code signatures. @@ -744,8 +746,7 @@ type: boolean example: true - -## container [_container_4] +## container [_container] Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -823,13 +824,14 @@ type: keyword example: docker - ## data_stream [_data_stream] -The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create). +The data_stream fields take part in defining the new data stream naming scheme. +In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. +An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. **`data_stream.dataset`** -: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters +: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -837,7 +839,7 @@ example: nginx.access **`data_stream.namespace`** -: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters +: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -852,10 +854,10 @@ type: constant_keyword example: logs - ## destination [_destination] -Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`destination.address`** : Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -910,7 +912,7 @@ example: Montreal **`destination.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -1034,7 +1036,7 @@ format: string **`destination.registered_domain`** -: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1050,7 +1052,7 @@ example: east **`destination.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1070,7 +1072,7 @@ type: keyword **`destination.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -1133,12 +1135,14 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## dll [_dll] These fields contain information about code libraries dynamically loaded into processes. -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS **`dll.code_signature.digest_algorithm`** : The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. @@ -1291,7 +1295,7 @@ example: 6.3.9600.17415 **`dll.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -1314,10 +1318,10 @@ type: keyword example: Microsoft® Windows® Operating System - ## dns [_dns] -Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). **`dns.answers`** : An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. @@ -1342,7 +1346,7 @@ example: 10.10.10.10 **`dns.answers.name`** -: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated. +: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. type: keyword @@ -1406,7 +1410,7 @@ example: www.example.com **`dns.question.registered_domain`** -: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1422,7 +1426,7 @@ example: www **`dns.question.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1461,13 +1465,12 @@ type: keyword example: answer - ## ecs [_ecs] Meta-information specific to ECS. **`ecs.version`** -: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events. +: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword @@ -1476,7 +1479,6 @@ example: 1.0.0 required: True - ## elf [_elf] These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -1506,7 +1508,7 @@ example: Intel **`elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -1673,10 +1675,10 @@ type: keyword type: keyword - ## error [_error] -These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. **`error.code`** : Error code describing the error. @@ -1714,10 +1716,10 @@ type: keyword example: java.lang.NullPointerException +## event [_event] -## event [_event_3] - -The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. **`event.action`** : The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. @@ -1728,7 +1730,7 @@ example: user-password-change **`event.agent_id_status`** -: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. +: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. type: keyword @@ -1752,7 +1754,7 @@ example: 4648 **`event.created`** -: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. type: date @@ -1760,7 +1762,7 @@ example: 2016-05-23T08:05:34.857Z **`event.dataset`** -: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. +: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword @@ -1798,7 +1800,7 @@ example: 8a4f500d **`event.ingested`** -: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. type: date @@ -1826,7 +1828,7 @@ example: apache type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 Field is not indexed. @@ -1860,11 +1862,11 @@ example: Terminated an unexpected process type: keyword -example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234) +example: https://system.example.com/event/#0001234 **`event.risk_score`** -: Risk score or priority of the event (e.g. security solutions). Use your system’s original value here. +: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1884,7 +1886,7 @@ format: string **`event.severity`** -: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. +: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. type: long @@ -1900,7 +1902,7 @@ type: date **`event.timezone`** -: This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +: This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). type: keyword @@ -1916,8 +1918,7 @@ type: keyword type: keyword -example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe) - +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe ## faas [_faas] @@ -1953,17 +1954,17 @@ example: 123456789 **`faas.trigger.type`** -: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other +: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other type: keyword example: http - ## file [_file] -A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. **`file.accessed`** : Last time the file was accessed. Note that not all filesystems keep track of access time. @@ -1972,7 +1973,7 @@ type: date **`file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -2112,7 +2113,7 @@ example: Intel **`file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -2350,7 +2351,7 @@ example: 256383 **`file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -2378,7 +2379,7 @@ example: example.png **`file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -2430,7 +2431,7 @@ example: 6.3.9600.17415 **`file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -2504,7 +2505,7 @@ example: Example SHA2 High Assurance Server CA **`file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -2610,7 +2611,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -2626,7 +2627,7 @@ example: shared.global.example.net **`file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -2679,10 +2680,10 @@ type: keyword example: 3 - ## geo [_geo] -Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. **`geo.city_name`** : City name. @@ -2693,7 +2694,7 @@ example: Montreal **`geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -2772,7 +2773,6 @@ type: keyword example: America/Argentina/Buenos_Aires - ## group [_group] The group fields are meant to represent groups that are relevant to the event. @@ -2795,10 +2795,11 @@ type: keyword type: keyword - ## hash [_hash] -The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). +The hash fields represent different bitwise hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). **`hash.md5`** : MD5 hash. @@ -2830,10 +2831,10 @@ type: keyword type: keyword - ## host [_host] -A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. **`host.architecture`** : Operating system architecture. @@ -2862,7 +2863,7 @@ type: long **`host.domain`** -: Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. +: Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword @@ -2878,7 +2879,7 @@ example: Montreal **`host.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3062,7 +3063,7 @@ example: darwin **`host.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3091,7 +3092,6 @@ type: long example: 1325 - ## http [_http] Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3145,7 +3145,7 @@ example: POST **`http.request.mime_type`** -: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients. +: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. type: keyword @@ -3157,7 +3157,7 @@ example: image/gif type: keyword -example: [https://blog.example.com/](https://blog.example.com/) +example: https://blog.example.com/ **`http.response.body.bytes`** @@ -3193,7 +3193,7 @@ format: bytes **`http.response.mime_type`** -: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers. +: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. type: keyword @@ -3218,7 +3218,6 @@ type: keyword example: 1.1 - ## interface [_interface] The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. @@ -3247,13 +3246,14 @@ type: keyword example: eth0 - ## log [_log] -Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. **`log.file.path`** -: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. +: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. type: keyword @@ -3261,7 +3261,7 @@ example: /var/log/fun-times.log **`log.level`** -: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. +: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. type: keyword @@ -3335,7 +3335,7 @@ format: string **`log.syslog.severity.code`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. type: long @@ -3343,20 +3343,20 @@ example: 3 **`log.syslog.severity.name`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword example: Error +## network [_network] -## network [_network_3] - -The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. **`network.application`** -: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. +: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. type: keyword @@ -3374,7 +3374,7 @@ format: bytes **`network.community_id`** -: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec). +: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. type: keyword @@ -3382,9 +3382,7 @@ example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= **`network.direction`** -: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown - -When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. +: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. type: keyword @@ -3400,7 +3398,7 @@ example: 192.1.1.2 **`network.iana_number`** -: IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword @@ -3485,10 +3483,10 @@ type: keyword example: outside - ## observer [_observer] -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. **`observer.egress`** : Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. @@ -3553,7 +3551,7 @@ example: Montreal **`observer.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3763,7 +3761,7 @@ example: darwin **`observer.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3814,7 +3812,6 @@ example: Symantec type: keyword - ## orchestrator [_orchestrator] Fields that describe the resources which container orchestrators manage or act upon. @@ -3885,10 +3882,10 @@ type: keyword example: kubernetes - ## organization [_organization] -The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. **`organization.id`** : Unique identifier for the organization. @@ -3906,7 +3903,6 @@ type: keyword : type: match_only_text - ## os [_os] The OS fields contain information about the operating system. @@ -3960,7 +3956,7 @@ example: darwin **`os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3975,7 +3971,6 @@ type: keyword example: 10.14.1 - ## package [_package] These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. @@ -4027,7 +4022,7 @@ type: date **`package.license`** -: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)). +: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword @@ -4055,7 +4050,7 @@ example: /usr/local/Cellar/go/1.12.9/ type: keyword -example: [https://golang.org](https://golang.org) +example: https://golang.org **`package.size`** @@ -4084,7 +4079,6 @@ type: keyword example: 1.12.9 - ## pe [_pe] These fields contain Windows Portable Executable (PE) metadata. @@ -4122,7 +4116,7 @@ example: 6.3.9600.17415 **`pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -4145,10 +4139,10 @@ type: keyword example: Microsoft® Windows® Operating System +## process [_process] -## process [_process_2] - -These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. **`process.args`** : Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. @@ -4275,7 +4269,7 @@ example: Intel **`process.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4645,7 +4639,7 @@ example: Intel **`process.parent.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4923,7 +4917,7 @@ example: 6.3.9600.17415 **`process.parent.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5053,7 +5047,7 @@ example: 6.3.9600.17415 **`process.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5150,7 +5144,6 @@ example: /home/alice : type: match_only_text - ## registry [_registry] Fields related to Windows Registry operations. @@ -5211,13 +5204,14 @@ type: keyword example: Debugger - ## related [_related] -This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. **`related.hash`** -: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search). +: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). type: keyword @@ -5240,10 +5234,10 @@ type: ip type: keyword - ## rule [_rule] -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. **`rule.author`** : Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. @@ -5294,11 +5288,11 @@ example: BLOCK_DNS_over_TLS **`rule.reference`** -: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. +: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. type: keyword -example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) +example: https://en.wikipedia.org/wiki/DNS_over_TLS **`rule.ruleset`** @@ -5325,10 +5319,11 @@ type: keyword example: 1.1 +## server [_server] -## server [_server_3] - -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`server.address`** : Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5383,7 +5378,7 @@ example: Montreal **`server.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -5507,7 +5502,7 @@ format: string **`server.registered_domain`** -: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -5523,7 +5518,7 @@ example: east **`server.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5543,7 +5538,7 @@ type: keyword **`server.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -5606,10 +5601,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] +## service [_service] -## service [_service_2] - -The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. **`service.address`** : Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). @@ -5652,7 +5647,7 @@ example: elasticsearch-metrics **`service.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5700,7 +5695,7 @@ example: elasticsearch-metrics **`service.origin.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5776,7 +5771,7 @@ example: elasticsearch-metrics **`service.target.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5821,10 +5816,10 @@ type: keyword example: 3.2.4 - ## source [_source] -Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`source.address`** : Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5879,7 +5874,7 @@ example: Montreal **`source.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6003,7 +5998,7 @@ format: string **`source.registered_domain`** -: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -6019,7 +6014,7 @@ example: east **`source.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6039,7 +6034,7 @@ type: keyword **`source.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -6102,10 +6097,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## threat [_threat] -Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). **`threat.enrichments`** : A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -6140,7 +6135,7 @@ example: Google LLC **`threat.enrichments.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -6160,7 +6155,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.enrichments.indicator.file.accessed`** @@ -6170,7 +6165,7 @@ type: date **`threat.enrichments.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -6310,7 +6305,7 @@ example: Intel **`threat.enrichments.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -6548,7 +6543,7 @@ example: 256383 **`threat.enrichments.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -6576,7 +6571,7 @@ example: example.png **`threat.enrichments.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -6628,7 +6623,7 @@ example: 6.3.9600.17415 **`threat.enrichments.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -6702,7 +6697,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -6808,7 +6803,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -6824,7 +6819,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -6894,7 +6889,7 @@ example: Montreal **`threat.enrichments.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6990,7 +6985,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.enrichments.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -7014,7 +7009,7 @@ example: 443 **`threat.enrichments.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -7026,7 +7021,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.enrichments.indicator.registry.data.bytes`** @@ -7102,7 +7097,7 @@ example: 20 **`threat.enrichments.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -7136,7 +7131,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.enrichments.indicator.url.full.text`** @@ -7148,7 +7143,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.enrichments.indicator.url.original.text`** @@ -7184,7 +7179,7 @@ type: keyword **`threat.enrichments.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -7208,7 +7203,7 @@ example: east **`threat.enrichments.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7238,7 +7233,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -7344,7 +7339,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -7360,7 +7355,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -7490,7 +7485,7 @@ example: FIN6 type: keyword -example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/) +example: https://attack.mitre.org/groups/G0037/ **`threat.indicator.as.number`** @@ -7514,7 +7509,7 @@ example: Google LLC **`threat.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -7534,7 +7529,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.indicator.file.accessed`** @@ -7544,7 +7539,7 @@ type: date **`threat.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -7684,7 +7679,7 @@ example: Intel **`threat.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -7922,7 +7917,7 @@ example: 256383 **`threat.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -7950,7 +7945,7 @@ example: example.png **`threat.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -8002,7 +7997,7 @@ example: 6.3.9600.17415 **`threat.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -8076,7 +8071,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8182,7 +8177,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8198,7 +8193,7 @@ example: shared.global.example.net **`threat.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8268,7 +8263,7 @@ example: Montreal **`threat.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -8364,7 +8359,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -8388,7 +8383,7 @@ example: 443 **`threat.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -8400,7 +8395,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.indicator.registry.data.bytes`** @@ -8476,7 +8471,7 @@ example: 20 **`threat.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -8510,7 +8505,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.indicator.url.full.text`** @@ -8522,7 +8517,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.indicator.url.original.text`** @@ -8558,7 +8553,7 @@ type: keyword **`threat.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -8582,7 +8577,7 @@ example: east **`threat.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8612,7 +8607,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8718,7 +8713,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8734,7 +8729,7 @@ example: shared.global.example.net **`threat.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8812,9 +8807,7 @@ example: AdFind **`threat.software.platforms`** -: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows - -While not required, you can use a MITRE ATT&CK® software platforms. +: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows While not required, you can use a MITRE ATT&CK® software platforms. type: keyword @@ -8826,22 +8819,19 @@ example: [ "Windows" ] type: keyword -example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/) +example: https://attack.mitre.org/software/S0552/ **`threat.software.type`** -: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool +: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool While not required, you can use a MITRE ATT&CK® software type. -``` -While not required, you can use a MITRE ATT&CK® software type. -``` type: keyword example: Tool **`threat.tactic.id`** -: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -8849,7 +8839,7 @@ example: TA0002 **`threat.tactic.name`** -: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)) +: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword @@ -8857,15 +8847,15 @@ example: Execution **`threat.tactic.reference`** -: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword -example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) +example: https://attack.mitre.org/tactics/TA0002/ **`threat.technique.id`** -: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8873,7 +8863,7 @@ example: T1059 **`threat.technique.name`** -: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8885,15 +8875,15 @@ example: Command and Scripting Interpreter **`threat.technique.reference`** -: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/) +example: https://attack.mitre.org/techniques/T1059/ **`threat.technique.subtechnique.id`** -: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8901,7 +8891,7 @@ example: T1059.001 **`threat.technique.subtechnique.name`** -: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8913,12 +8903,11 @@ example: PowerShell **`threat.technique.subtechnique.reference`** -: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/) - +example: https://attack.mitre.org/techniques/T1059/001/ ## tls [_tls] @@ -8938,7 +8927,7 @@ example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 type: keyword -example: MII… +example: MII... **`tls.client.certificate_chain`** @@ -8946,7 +8935,7 @@ example: MII… type: keyword -example: ["MII…", "MII…"] +example: ["MII...", "MII..."] **`tls.client.hash.md5`** @@ -9026,7 +9015,7 @@ example: CN=myclient, OU=Documentation Team, DC=example, DC=com type: keyword -example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…"] +example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] **`tls.client.x509.alternative_names`** @@ -9046,7 +9035,7 @@ example: Example SHA2 High Assurance Server CA **`tls.client.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9152,7 +9141,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.client.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9168,7 +9157,7 @@ example: shared.global.example.net **`tls.client.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9236,7 +9225,7 @@ type: boolean **`tls.next_protocol`** -: String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case. +: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword @@ -9254,7 +9243,7 @@ type: boolean type: keyword -example: MII… +example: MII... **`tls.server.certificate_chain`** @@ -9262,7 +9251,7 @@ example: MII… type: keyword -example: ["MII…", "MII…"] +example: ["MII...", "MII..."] **`tls.server.hash.md5`** @@ -9346,7 +9335,7 @@ example: Example SHA2 High Assurance Server CA **`tls.server.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9452,7 +9441,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.server.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9468,7 +9457,7 @@ example: shared.global.example.net **`tls.server.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9561,7 +9550,6 @@ type: keyword example: 00f067aa0ba902b7 - ## url [_url] URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -9593,7 +9581,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`url.full.text`** @@ -9605,7 +9593,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`url.original.text`** @@ -9641,7 +9629,7 @@ type: keyword **`url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -9665,7 +9653,7 @@ example: east **`url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9678,10 +9666,10 @@ example: co.uk type: keyword - ## user [_user] -The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. **`user.changes.domain`** : Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. @@ -9696,7 +9684,7 @@ type: keyword **`user.changes.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9778,7 +9766,7 @@ type: keyword **`user.effective.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9848,7 +9836,7 @@ type: keyword **`user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9924,7 +9912,7 @@ type: keyword **`user.target.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9987,10 +9975,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## user_agent [_user_agent] -The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. **`user_agent.device.name`** : Name of the device. @@ -10069,7 +10057,7 @@ example: darwin **`user_agent.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -10092,10 +10080,12 @@ type: keyword example: 12.0 - ## vlan [_vlan] -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. **`vlan.id`** : VLAN ID as reported by the observer. @@ -10113,13 +10103,12 @@ type: keyword example: outside - ## vulnerability [_vulnerability] The vulnerability fields describe information about a vulnerability that is relevant to an event. **`vulnerability.category`** -: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array. +: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. type: keyword @@ -10127,7 +10116,7 @@ example: ["Firewall"] **`vulnerability.classification`** -: The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/)) +: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword @@ -10135,11 +10124,11 @@ example: CVSS **`vulnerability.description`** -: The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)) +: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword -example: In macOS before 2.12.6, there is a vulnerability in the RPC… +example: In macOS before 2.12.6, there is a vulnerability in the RPC... **`vulnerability.description.text`** @@ -10147,7 +10136,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC… **`vulnerability.enumeration`** -: The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/)) +: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword @@ -10155,7 +10144,7 @@ example: CVE **`vulnerability.id`** -: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id)) +: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] type: keyword @@ -10167,7 +10156,7 @@ example: CVE-2019-00001 type: keyword -example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111) +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 **`vulnerability.report_id`** @@ -10187,7 +10176,7 @@ example: Tenable **`vulnerability.score.base`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) type: float @@ -10195,7 +10184,7 @@ example: 5.5 **`vulnerability.score.environmental`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) type: float @@ -10203,13 +10192,13 @@ example: 5.5 **`vulnerability.score.temporal`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) type: float **`vulnerability.score.version`** -: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword @@ -10217,17 +10206,18 @@ example: 2.0 **`vulnerability.severity`** -: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword example: Critical - ## x509 [_x509] -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. **`x509.alternative_names`** : List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. @@ -10246,7 +10236,7 @@ example: Example SHA2 High Assurance Server CA **`x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -10352,7 +10342,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -10368,7 +10358,7 @@ example: shared.global.example.net **`x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword diff --git a/docs/reference/metricbeat/exported-fields-elasticsearch.md b/docs/reference/metricbeat/exported-fields-elasticsearch.md index 6c4a03aecfdb..aa62cb43f935 100644 --- a/docs/reference/metricbeat/exported-fields-elasticsearch.md +++ b/docs/reference/metricbeat/exported-fields-elasticsearch.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-elasticsearch.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Elasticsearch fields [exported-fields-elasticsearch] Elasticsearch module @@ -977,7 +979,6 @@ type: boolean type: boolean - ## ccr [_ccr] Cross-cluster replication stats @@ -1126,8 +1127,7 @@ type: long : type: long - -## cluster.stats [_cluster_stats] +## cluster.stats [_cluster.stats] Cluster stats @@ -1161,7 +1161,6 @@ Cluster stats type: keyword - ## nodes [_nodes] Nodes statistics. @@ -1204,7 +1203,6 @@ type: long : type: long - ## indices [_indices] Indices statistics. @@ -1223,7 +1221,6 @@ Indices statistics. type: long - ## shards [_shards] Shard statistics. @@ -1274,7 +1271,6 @@ type: long : type: boolean - ## enrich [_enrich] Enrich stats @@ -1335,8 +1331,7 @@ type: long type: long - -## index [_index_3] +## index [_index] index @@ -1668,8 +1663,7 @@ type: long : type: long - -## index.recovery [_index_recovery] +## index.recovery [_index.recovery] index @@ -1805,8 +1799,7 @@ type: keyword : type: long - -## index.summary [_index_summary] +## index.summary [_index.summary] index @@ -1970,7 +1963,6 @@ format: bytes : type: long - ## ingest_pipeline [_ingest_pipeline] Runtime metrics on ingest pipeline execution @@ -1981,7 +1973,6 @@ Runtime metrics on ingest pipeline execution type: wildcard - ## total [_total] Metrics on the total ingest pipeline execution, including all processors. @@ -2046,8 +2037,7 @@ type: long type: long - -## ml.job [_ml_job] +## ml.job [_ml.job] ml @@ -2087,8 +2077,7 @@ type: long type: long - -## node [_node_2] +## node [_node] node @@ -2098,7 +2087,6 @@ node type: keyword - ## jvm [_jvm] JVM Info. @@ -2147,8 +2135,7 @@ format: bytes type: boolean - -## node.stats [_node_stats] +## node.stats [_node.stats] Statistics about each node in a Elasticsearch cluster @@ -2516,8 +2503,7 @@ format: bytes : type: long - -## summary [_summary_4] +## summary [_summary] File system summary @@ -2845,8 +2831,7 @@ format: bytes format: bytes - -## cluster.pending_task [_cluster_pending_task] +## cluster.pending_task [_cluster.pending_task] `cluster.pending_task` contains a pending task description. @@ -2874,7 +2859,6 @@ type: keyword type: long - ## shard [_shard] shard fields diff --git a/docs/reference/metricbeat/exported-fields-envoyproxy.md b/docs/reference/metricbeat/exported-fields-envoyproxy.md index 8f67827a3a70..c37e95dbab37 100644 --- a/docs/reference/metricbeat/exported-fields-envoyproxy.md +++ b/docs/reference/metricbeat/exported-fields-envoyproxy.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-envoyproxy.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Envoyproxy fields [exported-fields-envoyproxy] envoyproxy module - ## envoyproxy [_envoyproxy] -## server [_server_4] + +## server [_server] Contains envoy proxy server stats diff --git a/docs/reference/metricbeat/exported-fields-etcd.md b/docs/reference/metricbeat/exported-fields-etcd.md index c1baff76ecb9..318fd1691575 100644 --- a/docs/reference/metricbeat/exported-fields-etcd.md +++ b/docs/reference/metricbeat/exported-fields-etcd.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-etcd.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Etcd fields [exported-fields-etcd] etcd Module - ## etcd [_etcd] `etcd` contains statistics that were read from Etcd @@ -18,12 +19,10 @@ etcd Module type: keyword - ## leader [_leader] Contains etcd leader statistics. - ## follower [_follower] Contains follower statistics. @@ -34,7 +33,6 @@ Contains follower statistics. type: keyword - ## latency [_latency] latency to each peer in the cluster @@ -61,8 +59,7 @@ type: integer type: keyword - -## server [_server_5] +## server [_server] Server metrics from the Etcd V3 /metrics endpoint @@ -108,7 +105,6 @@ type: long type: long - ## disk [_disk] Disk metrics from the Etcd V3 /metrics endpoint @@ -157,8 +153,7 @@ type: long type: long - -## memory [_memory_6] +## memory [_memory] Memory metrics from the Etcd V3 /metrics endpoint @@ -170,8 +165,7 @@ type: long format: bytes - -## network [_network_5] +## network [_network] Network metrics from the Etcd V3 /metrics endpoint @@ -191,7 +185,6 @@ type: long format: bytes - ## self [_self] Contains etcd self statistics. @@ -221,7 +214,7 @@ type: keyword **`etcd.self.name`** -: this member’s name +: this member's name type: keyword @@ -274,7 +267,6 @@ type: keyword type: keyword - ## store [_store] The store statistics include information about the operations that this node has handled. diff --git a/docs/reference/metricbeat/exported-fields-gcp.md b/docs/reference/metricbeat/exported-fields-gcp.md index c12f1f0d6098..1f0f98310128 100644 --- a/docs/reference/metricbeat/exported-fields-gcp.md +++ b/docs/reference/metricbeat/exported-fields-gcp.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-gcp.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Google Cloud Platform fields [exported-fields-gcp] GCP module @@ -19,8 +21,7 @@ type: object type: object - -## billing [_billing_6] +## billing [_billing] Google Cloud Billing metrics @@ -79,12 +80,11 @@ type: nested **`gcp.billing.effective_price`** -: The charged price for usage of the Google Cloud SKUs and SKU tiers. Reflects contract pricing if applicable, otherwise, it’s the list price. +: The charged price for usage of the Google Cloud SKUs and SKU tiers. Reflects contract pricing if applicable, otherwise, it's the list price. type: float - ## carbon [_carbon] Google Cloud Carbon Footprint metrics @@ -149,8 +149,7 @@ type: float type: float - -## compute [_compute_2] +## compute [_compute] Google Cloud Compute metrics @@ -268,7 +267,6 @@ type: long type: long - ## dataproc [_dataproc] Google Cloud Dataproc metrics @@ -399,7 +397,6 @@ type: object type: object - ## firestore [_firestore] Google Cloud Firestore metrics @@ -422,8 +419,7 @@ type: long type: long - -## gke [_gke_2] +## gke [_gke] `gke` contains the metrics that we scraped from GCP Stackdriver API containing monitoring metrics for GCP GKE @@ -667,8 +663,7 @@ type: long type: double - -## loadbalancing [_loadbalancing_2] +## loadbalancing [_loadbalancing] Google Cloud Load Balancing metrics @@ -709,7 +704,7 @@ type: long **`gcp.loadbalancing.l3.external.egress.bytes`** -: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it’s counting bytes on application stream only. +: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. type: long @@ -721,7 +716,7 @@ type: long **`gcp.loadbalancing.l3.external.ingress.bytes`** -: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it’s counting bytes on application stream only. +: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. type: long @@ -733,7 +728,7 @@ type: long **`gcp.loadbalancing.l3.internal.egress.bytes`** -: The number of bytes sent from ILB backend to client (for TCP flows it’s counting bytes on application stream only). +: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). type: long @@ -745,7 +740,7 @@ type: long **`gcp.loadbalancing.l3.internal.ingress.bytes`** -: The number of bytes sent from client to ILB backend (for TCP flows it’s counting bytes on application stream only). +: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). type: long @@ -841,13 +836,12 @@ type: object **`gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value`** -: A distribution of the smoothed RTT (in ms) measured by the proxy’s TCP stack, each minute application layer bytes pass from proxy to client. +: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. type: object - -## pubsub [_pubsub_2] +## pubsub [_pubsub] Google Cloud PubSub metrics @@ -942,7 +936,7 @@ type: long **`gcp.pubsub.subscription.num_outstanding_messages.value`** -: Number of messages delivered to a subscription’s push endpoint, but not yet acknowledged. +: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. type: long @@ -1145,8 +1139,7 @@ type: object type: object - -## storage [_storage_3] +## storage [_storage] Google Cloud Storage metrics diff --git a/docs/reference/metricbeat/exported-fields-golang.md b/docs/reference/metricbeat/exported-fields-golang.md index b2963222e5a8..8495cd507e33 100644 --- a/docs/reference/metricbeat/exported-fields-golang.md +++ b/docs/reference/metricbeat/exported-fields-golang.md @@ -3,14 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-golang.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Golang fields [exported-fields-golang] Golang module - ## golang [_golang] + ## expvar [_expvar] expvar @@ -21,7 +23,6 @@ expvar type: keyword - ## heap [_heap] The Go program heap information exposed by expvar. @@ -32,12 +33,10 @@ The Go program heap information exposed by expvar. type: keyword - -## gc [_gc_2] +## gc [_gc] Garbage collector summary. - ## total_pause [_total_pause] Total GC pause duration over lifetime of process. @@ -68,8 +67,7 @@ format: bytes type: float - -## pause [_pause_2] +## pause [_pause] Last GC pause durations during the monitoring period. @@ -79,7 +77,6 @@ Last GC pause durations during the monitoring period. type: long - ## sum [_sum] Total GC pause duration during this collect period. @@ -90,7 +87,6 @@ Total GC pause duration during this collect period. type: long - ## max [_max] Max GC pause duration during this collect period. @@ -101,7 +97,6 @@ Max GC pause duration during this collect period. type: long - ## avg [_avg] Average GC pause duration during this collect period. @@ -112,8 +107,7 @@ Average GC pause duration during this collect period. type: long - -## system [_system_2] +## system [_system] Heap summary,which bytes was obtained from system. @@ -149,7 +143,6 @@ type: long format: bytes - ## allocations [_allocations] Heap allocations summary. diff --git a/docs/reference/metricbeat/exported-fields-graphite.md b/docs/reference/metricbeat/exported-fields-graphite.md index 432face2eba4..5e35a1745e22 100644 --- a/docs/reference/metricbeat/exported-fields-graphite.md +++ b/docs/reference/metricbeat/exported-fields-graphite.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-graphite.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Graphite fields [exported-fields-graphite] graphite Module - ## graphite [_graphite] -## server [_server_6] + +## server [_server] server diff --git a/docs/reference/metricbeat/exported-fields-haproxy.md b/docs/reference/metricbeat/exported-fields-haproxy.md index 6ffdb5500ccd..8945e58a3752 100644 --- a/docs/reference/metricbeat/exported-fields-haproxy.md +++ b/docs/reference/metricbeat/exported-fields-haproxy.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-haproxy.html --- +% This file is generated! See scripts/generate_fields_docs.py + # HAProxy fields [exported-fields-haproxy] HAProxy Module - ## haproxy [_haproxy] HAProxy metrics. - -## info [_info_5] +## info [_info] General information about HAProxy processes. @@ -100,7 +100,7 @@ type: long **`haproxy.info.memory.max.bytes`** -: Maximum amount of memory usage in bytes (the *Memmax_MB* value converted to bytes). +: Maximum amount of memory usage in bytes (the 'Memmax_MB' value converted to bytes). type: long @@ -155,12 +155,14 @@ type: long type: long - ## compress [_compress] + ## bps [_bps] + + **`haproxy.info.compress.bps.in`** : Incoming compressed data in bits per second. @@ -179,12 +181,14 @@ type: long type: long - ## connection [_connection] + ## rate [_rate] + + **`haproxy.info.connection.rate.value`** : Number of connections in the last second. @@ -261,9 +265,10 @@ type: long type: long - ## pipes [_pipes] + + **`haproxy.info.pipes.used`** : Number of used pipes during kernel-based tcp splicing. @@ -282,7 +287,6 @@ type: integer type: integer - ## session [_session] None @@ -305,8 +309,7 @@ type: integer type: integer - -## ssl [_ssl_7] +## ssl [_ssl] None @@ -328,7 +331,6 @@ type: integer type: integer - ## frontend [_frontend] None @@ -353,7 +355,6 @@ type: scaled_float format: percent - ## backend [_backend] None @@ -382,9 +383,10 @@ type: long type: long - ## zlib_mem_usage [_zlib_mem_usage] + + **`haproxy.info.zlib_mem_usage.value`** : Memory usage of zlib. @@ -405,13 +407,12 @@ type: scaled_float format: percent - ## stat [_stat] Stats collected from HAProxy processes. **`haproxy.stat.status`** -: Status (UP, DOWN, NOLB, MAINT, or MAINT(via)…). +: Status (UP, DOWN, NOLB, MAINT, or MAINT(via)...). type: keyword @@ -465,7 +466,7 @@ format: bytes **`haproxy.stat.last_change`** -: Number of seconds since the last UP→DOWN or DOWN→UP transition. +: Number of seconds since the last UP->DOWN or DOWN->UP transition. type: integer @@ -569,10 +570,7 @@ type: long **`haproxy.stat.request.denied`** -: Requests denied because of security concerns. - -* For TCP this is because of a matched tcp-request content rule. -* For HTTP this is because of a matched http-request or tarpit rule. +: Requests denied because of security concerns. * For TCP this is because of a matched tcp-request content rule. * For HTTP this is because of a matched http-request or tarpit rule. type: long @@ -602,14 +600,7 @@ type: long **`haproxy.stat.request.errors`** -: Request errors. Some of the possible causes are: - -* early termination from the client, before the request has been sent -* read error from the client -* client timeout -* client closed connection -* various bad requests from the client. -* request was tarpitted. +: Request errors. Some of the possible causes are: * early termination from the client, before the request has been sent * read error from the client * client timeout * client closed connection * various bad requests from the client. * request was tarpitted. type: long @@ -626,8 +617,9 @@ type: long type: long +## rate [_rate] + -## rate [_rate_2] **`haproxy.stat.request.rate.value`** : Number of HTTP requests per second over the last elapsed second. @@ -654,7 +646,7 @@ type: long **`haproxy.stat.response.errors`** -: Number of response errors. This value includes the number of data transfers aborted by the server (haproxy.stat.server.aborted). Some other errors are: * write errors on the client socket (won’t be counted for the server stat) * failure applying filters to the response +: Number of response errors. This value includes the number of data transfers aborted by the server (haproxy.stat.server.aborted). Some other errors are: * write errors on the client socket (won't be counted for the server stat) * failure applying filters to the response type: long @@ -671,8 +663,9 @@ type: long type: integer +## http [_http] + -## http [_http_3] **`haproxy.stat.response.http.1xx`** : HTTP responses with 1xx code. @@ -758,30 +751,13 @@ type: integer type: integer - ## check [_check] + + **`haproxy.stat.check.status`** -: Status of the last health check. One of: - -``` -UNK -> unknown -INI -> initializing -SOCKERR -> socket error -L4OK -> check passed on layer 4, no upper layers testing enabled -L4TOUT -> layer 1-4 timeout -L4CON -> layer 1-4 connection problem, for example - "Connection refused" (tcp rst) or "No route to host" (icmp) -L6OK -> check passed on layer 6 -L6TOUT -> layer 6 (SSL) timeout -L6RSP -> layer 6 invalid response - protocol error -L7OK -> check passed on layer 7 -L7OKC -> check conditionally passed on layer 7, for example 404 with - disable-on-404 -L7TOUT -> layer 7 (HTTP/SMTP) timeout -L7RSP -> layer 7 invalid response - protocol error -L7STS -> layer 7 response error, for example HTTP 5xx -``` +: Status of the last health check. One of: UNK -> unknown INI -> initializing SOCKERR -> socket error L4OK -> check passed on layer 4, no upper layers testing enabled L4TOUT -> layer 1-4 timeout L4CON -> layer 1-4 connection problem, for example "Connection refused" (tcp rst) or "No route to host" (icmp) L6OK -> check passed on layer 6 L6TOUT -> layer 6 (SSL) timeout L6RSP -> layer 6 invalid response - protocol error L7OK -> check passed on layer 7 L7OKC -> check conditionally passed on layer 7, for example 404 with disable-on-404 L7TOUT -> layer 7 (HTTP/SMTP) timeout L7RSP -> layer 7 invalid response - protocol error L7STS -> layer 7 response error, for example HTTP 5xx + type: keyword @@ -820,7 +796,7 @@ type: long **`haproxy.stat.check.down`** -: Number of UP→DOWN transitions. For backends, this value is the number of transitions to the whole backend being down, rather than the sum of the transitions for each server. +: Number of UP->DOWN transitions. For backends, this value is the number of transitions to the whole backend being down, rather than the sum of the transitions for each server. type: long @@ -831,8 +807,9 @@ type: long type: integer +## server [_server] + -## server [_server_7] **`haproxy.stat.server.id`** : Server ID (unique inside a proxy). @@ -858,9 +835,10 @@ type: integer type: integer - ## compressor [_compressor] + + **`haproxy.stat.compressor.in.bytes`** : Number of HTTP response bytes fed to the compressor. @@ -893,8 +871,9 @@ type: long format: bytes +## proxy [_proxy] + -## proxy [_proxy_2] **`haproxy.stat.proxy.id`** : Unique proxy ID. @@ -914,8 +893,9 @@ type: keyword type: keyword +## queue [_queue] + -## queue [_queue_8] **`haproxy.stat.queue.limit`** : Configured queue limit (maxqueue) for the server, or nothing if the value of maxqueue is 0 (meaning no limit). @@ -929,23 +909,13 @@ type: integer type: integer +## agent [_agent] + -## agent [_agent_3] **`haproxy.stat.agent.status`** -: Status of the last health check. One of: - -``` -UNK -> unknown -INI -> initializing -SOCKERR -> socket error -L4OK -> check passed on layer 4, no upper layers enabled -L4TOUT -> layer 1-4 timeout -L4CON -> layer 1-4 connection problem, for example - "Connection refused" (tcp rst) or "No route to host" (icmp) -L7OK -> agent reported "up" -L7STS -> agent reported "fail", "stop" or "down" -``` +: Status of the last health check. One of: UNK -> unknown INI -> initializing SOCKERR -> socket error L4OK -> check passed on layer 4, no upper layers enabled L4TOUT -> layer 1-4 timeout L4CON -> layer 1-4 connection problem, for example "Connection refused" (tcp rst) or "No route to host" (icmp) L7OK -> agent reported "up" L7STS -> agent reported "fail", "stop" or "down" + type: keyword diff --git a/docs/reference/metricbeat/exported-fields-host-processor.md b/docs/reference/metricbeat/exported-fields-host-processor.md index b28c0947cf12..b736d3cd80e6 100644 --- a/docs/reference/metricbeat/exported-fields-host-processor.md +++ b/docs/reference/metricbeat/exported-fields-host-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-host-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Host fields [exported-fields-host-processor] Info collected for the host machine. diff --git a/docs/reference/metricbeat/exported-fields-http.md b/docs/reference/metricbeat/exported-fields-http.md index 1665693925dd..275ff3f70720 100644 --- a/docs/reference/metricbeat/exported-fields-http.md +++ b/docs/reference/metricbeat/exported-fields-http.md @@ -3,12 +3,14 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-http.html --- +% This file is generated! See scripts/generate_fields_docs.py + # HTTP fields [exported-fields-http] HTTP module +## http [_http] -## http [_http_4] ## request [_request] @@ -21,7 +23,6 @@ HTTP request information type: object - ## response [_response] HTTP response information @@ -48,13 +49,11 @@ type: keyword example: Not found - ## json [_json] json metricset - -## server [_server_8] +## server [_server] server diff --git a/docs/reference/metricbeat/exported-fields-ibmmq.md b/docs/reference/metricbeat/exported-fields-ibmmq.md index 73f40789a0cb..c97f3e4ec746 100644 --- a/docs/reference/metricbeat/exported-fields-ibmmq.md +++ b/docs/reference/metricbeat/exported-fields-ibmmq.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-ibmmq.html --- +% This file is generated! See scripts/generate_fields_docs.py + # IBM MQ fields [exported-fields-ibmmq] IBM MQ module diff --git a/docs/reference/metricbeat/exported-fields-iis.md b/docs/reference/metricbeat/exported-fields-iis.md index 3162f43435e5..642302374440 100644 --- a/docs/reference/metricbeat/exported-fields-iis.md +++ b/docs/reference/metricbeat/exported-fields-iis.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-iis.html --- +% This file is generated! See scripts/generate_fields_docs.py + # IIS fields [exported-fields-iis] iis module - ## iis [_iis] -## application_pool [_application_pool_2] + +## application_pool [_application_pool] Application pool process stats. @@ -21,8 +23,7 @@ Application pool process stats. type: keyword - -## process [_process_4] +## process [_process] Worker process overview. @@ -80,7 +81,6 @@ type: float type: float - ## net_clr [_net_clr] Common Language Runtime overview. @@ -115,8 +115,7 @@ type: float type: float - -## memory [_memory_7] +## memory [_memory] Memory overview. @@ -186,7 +185,6 @@ type: float type: float - ## locks_and_threads [_locks_and_threads] LocksAndThreads overview. @@ -203,13 +201,11 @@ type: float type: float - -## webserver [_webserver_2] +## webserver [_webserver] Webserver related metrics. - -## process [_process_5] +## process [_process] The process related stats. @@ -273,7 +269,6 @@ type: float type: float - ## asp_net [_asp_net] Common Language Runtime overview. @@ -290,7 +285,6 @@ type: float type: long - ## asp_net_application [_asp_net_application] ASP.NET application overview. @@ -325,7 +319,6 @@ type: float type: float - ## cache [_cache] The cache overview. @@ -414,8 +407,7 @@ type: float type: float - -## network [_network_6] +## network [_network] The network related stats. @@ -533,8 +525,7 @@ type: float type: float - -## website [_website_2] +## website [_website] Website related metrics. @@ -544,8 +535,7 @@ Website related metrics. type: keyword - -## network [_network_7] +## network [_network] The network overview. diff --git a/docs/reference/metricbeat/exported-fields-istio.md b/docs/reference/metricbeat/exported-fields-istio.md index c28b0521b6bd..66b71317c69b 100644 --- a/docs/reference/metricbeat/exported-fields-istio.md +++ b/docs/reference/metricbeat/exported-fields-istio.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-istio.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Istio fields [exported-fields-istio] istio Module - ## istio [_istio] `istio` contains statistics that were read from Istio - ## citadel [_citadel] Contains statistics related to the Istio Citadel service @@ -91,7 +91,6 @@ format: duration type: long - ## galley [_galley] Contains statistics related to the Istio galley service @@ -257,7 +256,7 @@ type: long **`istio.galley.runtime.strategy.on_change`** -: The number of times the strategy’s onChange has been called +: The number of times the strategy's onChange has been called type: long @@ -292,7 +291,6 @@ type: long type: long - ## mesh [_mesh] Contains statistics related to the Istio mesh service @@ -473,7 +471,6 @@ type: long type: keyword - ## mixer [_mixer] Contains statistics related to the Istio mixer service @@ -616,7 +613,6 @@ type: keyword type: keyword - ## pilot [_pilot] Contains statistics related to the Istio pilot service diff --git a/docs/reference/metricbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/metricbeat/exported-fields-jolokia-autodiscover.md index e5d2ca256440..bde579b22983 100644 --- a/docs/reference/metricbeat/exported-fields-jolokia-autodiscover.md +++ b/docs/reference/metricbeat/exported-fields-jolokia-autodiscover.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-jolokia-autodiscover.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover] Metadata from Jolokia Discovery added by the jolokia provider. @@ -26,7 +28,7 @@ type: keyword **`jolokia.server.version`** -: The container’s version (if detected). +: The container's version (if detected). type: keyword diff --git a/docs/reference/metricbeat/exported-fields-jolokia.md b/docs/reference/metricbeat/exported-fields-jolokia.md index f18714841b01..aa0dc0d3e78a 100644 --- a/docs/reference/metricbeat/exported-fields-jolokia.md +++ b/docs/reference/metricbeat/exported-fields-jolokia.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-jolokia.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Jolokia fields [exported-fields-jolokia] Jolokia module - -## jolokia [_jolokia_2] +## jolokia [_jolokia] jolokia contains metrics exposed via jolokia agent diff --git a/docs/reference/metricbeat/exported-fields-kafka.md b/docs/reference/metricbeat/exported-fields-kafka.md index a335e34d41d2..f3bfdb2401fd 100644 --- a/docs/reference/metricbeat/exported-fields-kafka.md +++ b/docs/reference/metricbeat/exported-fields-kafka.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kafka.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kafka fields [exported-fields-kafka] Kafka module - ## kafka [_kafka] -## broker [_broker_2] + +## broker [_broker] Broker Consumer Group Information have been read from (Broker handling the consumer group). @@ -57,8 +59,7 @@ type: keyword type: keyword - -## broker [_broker_3] +## broker [_broker] Broker metrics from Kafka Broker JMX @@ -188,7 +189,6 @@ type: float type: float - ## consumer [_consumer] Consumer metrics from Kafka Consumer JMX @@ -247,7 +247,6 @@ type: float type: float - ## consumergroup [_consumergroup] consumergroup @@ -282,8 +281,7 @@ type: long type: long - -## client [_client_3] +## client [_client] Assigned client reading events from partition @@ -305,12 +303,10 @@ type: keyword type: keyword - -## partition [_partition_2] +## partition [_partition] partition - ## offset [_offset] Available offsets of the given partition. @@ -327,8 +323,7 @@ type: long type: long - -## partition [_partition_3] +## partition [_partition] Partition data. @@ -362,7 +357,6 @@ type: boolean type: long - ## producer [_producer] Producer metrics from Kafka Producer JMX diff --git a/docs/reference/metricbeat/exported-fields-kibana.md b/docs/reference/metricbeat/exported-fields-kibana.md index c9fb6b102b51..9c759820fa45 100644 --- a/docs/reference/metricbeat/exported-fields-kibana.md +++ b/docs/reference/metricbeat/exported-fields-kibana.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kibana.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kibana fields [exported-fields-kibana] Kibana module @@ -131,7 +133,6 @@ alias to: service.id : type: keyword - ## cluster_actions [_cluster_actions] Kibana cluster actions metrics. @@ -152,7 +153,6 @@ Kibana cluster actions metrics. : type: float - ## cluster_rules [_cluster_rules] Kibana cluster rule metrics. @@ -173,7 +173,6 @@ Kibana cluster rule metrics. : type: float - ## node_actions [_node_actions] Kibana node actions metrics. @@ -194,7 +193,6 @@ Kibana node actions metrics. : type: long - ## node_rules [_node_rules] Kibana node rule metrics. @@ -215,69 +213,7 @@ Kibana node rule metrics. : type: long - -## settings [_settings_2] - -Kibana stats and run-time metrics. - -**`kibana.settings.uuid`** -: Kibana instance UUID - -type: keyword - - -**`kibana.settings.name`** -: Kibana instance name - -type: keyword - - -**`kibana.settings.index`** -: Name of Kibana’s internal index - -type: keyword - - -**`kibana.settings.host`** -: Kibana instance hostname - -type: keyword - - -**`kibana.settings.transport_address`** -: Kibana server’s hostname and port - -type: keyword - - -**`kibana.settings.version`** -: Kibana version - -type: keyword - - -**`kibana.settings.snapshot`** -: Whether the Kibana build is a snapshot build - -type: boolean - - -**`kibana.settings.status`** -: Kibana instance’s health status - -type: keyword - - -**`kibana.settings.locale`** -: type: keyword - - -**`kibana.settings.port`** -: type: integer - - - -## stats [_stats_5] +## stats [_stats] Kibana stats and run-time metrics. @@ -304,7 +240,7 @@ type: keyword **`kibana.stats.index`** -: Name of Kibana’s internal index +: Name of Kibana's internal index type: keyword @@ -316,7 +252,7 @@ type: keyword **`kibana.stats.transport_address`** -: Kibana server’s hostname and port +: Kibana server's hostname and port type: alias @@ -338,7 +274,7 @@ type: boolean **`kibana.stats.status`** -: Kibana instance’s health status +: Kibana instance's health status type: keyword @@ -405,8 +341,7 @@ type: keyword type: long - -## process [_process_6] +## process [_process] Process metrics @@ -432,7 +367,6 @@ Process metrics type: scaled_float - ## event_loop_utilization [_event_loop_utilization] The ratio of time the event loop is not idling in the event provider to the total time the event loop is running. @@ -455,8 +389,7 @@ type: scaled_float type: scaled_float - -## memory.heap [_memory_heap] +## memory.heap [_memory.heap] Process heap metrics @@ -490,8 +423,7 @@ format: bytes type: long - -## request [_request_2] +## request [_request] Request count metrics @@ -507,7 +439,6 @@ type: long type: long - ## response_time [_response_time] Response times metrics @@ -524,10 +455,9 @@ type: long type: long - ## elasticsearch_client [_elasticsearch_client] -Elasticsearch Client’s stats +Elasticsearch Client's stats **`kibana.stats.elasticsearch_client.total_active_sockets`** : Total number of active sockets @@ -547,8 +477,7 @@ type: integer type: integer - -## status [_status_2] +## status [_status] Status fields @@ -593,31 +522,30 @@ type: text **`kibana.status.status.core.elasticsearch.level`** -: Kibana Elasticsearch client’s status +: Kibana Elasticsearch client's status type: keyword **`kibana.status.status.core.elasticsearch.summary`** -: Kibana Elasticsearch client’s status in a human-readable format. +: Kibana Elasticsearch client's status in a human-readable format. type: text **`kibana.status.status.core.savedObjects.level`** -: Kibana Saved Objects client’s status +: Kibana Saved Objects client's status type: keyword **`kibana.status.status.core.savedObjects.summary`** -: Kibana Saved Objects client’s status in a human-readable format. +: Kibana Saved Objects client's status in a human-readable format. type: text - -## metrics [_metrics_8] +## metrics [_metrics] Metrics fields @@ -627,7 +555,6 @@ Metrics fields type: long - ## requests [_requests] Request statistics. diff --git a/docs/reference/metricbeat/exported-fields-kubernetes-processor.md b/docs/reference/metricbeat/exported-fields-kubernetes-processor.md index bc518e6594e0..6708290baf17 100644 --- a/docs/reference/metricbeat/exported-fields-kubernetes-processor.md +++ b/docs/reference/metricbeat/exported-fields-kubernetes-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kubernetes-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kubernetes fields [exported-fields-kubernetes-processor] Kubernetes metadata added by the kubernetes processor diff --git a/docs/reference/metricbeat/exported-fields-kubernetes.md b/docs/reference/metricbeat/exported-fields-kubernetes.md index 6437103e3c50..2ced9ea194ee 100644 --- a/docs/reference/metricbeat/exported-fields-kubernetes.md +++ b/docs/reference/metricbeat/exported-fields-kubernetes.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kubernetes.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kubernetes fields [exported-fields-kubernetes] Kubernetes metrics - -## kubernetes [_kubernetes_3] +## kubernetes [_kubernetes] Information and statistics of pods managed by kubernetes. - -## apiserver [_apiserver_2] +## apiserver [_apiserver] Kubernetes API server metrics @@ -253,8 +253,7 @@ type: long type: long - -## container [_container_5] +## container [_container] kubernetes container metrics @@ -264,8 +263,7 @@ kubernetes container metrics type: date - -## cpu [_cpu_6] +## cpu [_cpu] CPU usage metrics @@ -297,8 +295,7 @@ type: scaled_float format: percent - -## logs [_logs_2] +## logs [_logs] Logs info @@ -442,7 +439,6 @@ format: bytes type: double - ## controllermanager [_controllermanager] Controller manager metrics @@ -594,7 +590,7 @@ type: double **`kubernetes.controllermanager.workqueue.unfinished.sec`** -: How many seconds of work has done that is in progress and hasn’t been considered in the longest running processor, broken down by workqueue name +: How many seconds of work has done that is in progress and hasn't been considered in the longest running processor, broken down by workqueue name type: double @@ -647,8 +643,7 @@ type: long type: boolean - -## event [_event_4] +## event [_event] The Kubernetes events metricset collects events that are generated by objects running inside of Kubernetes @@ -688,8 +683,7 @@ type: keyword type: keyword - -## source [_source_2] +## source [_source] The component reporting this event @@ -705,8 +699,7 @@ type: keyword type: keyword - -## metadata [_metadata_2] +## metadata [_metadata] Metadata associated with the given event @@ -752,7 +745,6 @@ type: keyword type: keyword - ## involved_object [_involved_object] Metadata associated with the given involved object @@ -787,8 +779,7 @@ type: keyword type: keyword - -## node [_node_4] +## node [_node] kubernetes node metrics @@ -798,8 +789,7 @@ kubernetes node metrics type: date - -## cpu [_cpu_7] +## cpu [_cpu] CPU usage metrics @@ -953,7 +943,6 @@ type: double format: bytes - ## pod [_pod] kubernetes pod metrics @@ -992,8 +981,7 @@ format: bytes type: double - -## cpu [_cpu_8] +## cpu [_cpu] CPU usage metrics @@ -1087,8 +1075,7 @@ type: double type: double - -## proxy [_proxy_3] +## proxy [_proxy] Kubernetes proxy server metrics @@ -1220,7 +1207,6 @@ format: bytes type: object - ## sync [_sync] kubeproxy proxy sync metrics @@ -1261,7 +1247,6 @@ type: long type: object - ## scheduler [_scheduler] Kubernetes scheduler metrics @@ -1437,7 +1422,7 @@ type: double **`kubernetes.scheduler.workqueue.unfinished.sec`** -: How many seconds of work has done that is in progress and hasn’t been considered in the longest running processor, broken down by workqueue name +: How many seconds of work has done that is in progress and hasn't been considered in the longest running processor, broken down by workqueue name type: double @@ -1508,8 +1493,7 @@ type: long type: long - -## container [_container_6] +## container [_container] kubernetes container metrics @@ -1583,7 +1567,6 @@ type: long format: bytes - ## cronjob [_cronjob] kubernetes cronjob metrics @@ -1642,7 +1625,6 @@ type: double type: long - ## daemonset [_daemonset] Kubernetes DaemonSet metrics @@ -1651,7 +1633,6 @@ Kubernetes DaemonSet metrics : type: keyword - ## replicas [_replicas] Kubernetes DaemonSet replica metrics @@ -1680,8 +1661,7 @@ type: long type: long - -## deployment [_deployment_2] +## deployment [_deployment] kubernetes deployment metrics @@ -1703,8 +1683,7 @@ type: keyword type: keyword - -## replicas [_replicas_2] +## replicas [_replicas] Kubernetes deployment replicas info @@ -1732,7 +1711,6 @@ type: integer type: integer - ## job [_job] Kubernetes job metrics @@ -1743,7 +1721,6 @@ Kubernetes job metrics type: keyword - ## pods [_pods] Pod metrics for the job @@ -1766,7 +1743,6 @@ type: long type: long - ## time [_time] Kubernetes job timestamps @@ -1783,7 +1759,6 @@ type: date type: date - ## completions [_completions] Kubernetes job completion settings @@ -1794,7 +1769,6 @@ Kubernetes job completion settings type: long - ## parallelism [_parallelism] Kubernetes job parallelism settings @@ -1805,7 +1779,6 @@ Kubernetes job parallelism settings type: long - ## owner [_owner] Kubernetes job owner information @@ -1828,8 +1801,7 @@ type: keyword type: keyword - -## status [_status_3] +## status [_status] Kubernetes job status information @@ -1845,7 +1817,6 @@ type: keyword type: keyword - ## state_namespace [_state_namespace] Kubernetes namespace metrics. @@ -1868,8 +1839,7 @@ type: boolean type: boolean - -## node [_node_5] +## node [_node] kubernetes node metrics @@ -1961,7 +1931,6 @@ type: long type: keyword - ## persistentvolume [_persistentvolume] kubernetes persistent volume metrics from kube-state-metrics @@ -1990,7 +1959,6 @@ type: keyword type: keyword - ## persistentvolumeclaim [_persistentvolumeclaim] kubernetes persistent volume claim metrics from kube-state-metrics @@ -2037,8 +2005,7 @@ type: keyword type: date - -## pod [_pod_2] +## pod [_pod] kubernetes pod metrics @@ -2048,13 +2015,12 @@ kubernetes pod metrics type: ip - -## status [_status_4] +## status [_status] Kubernetes pod status metrics **`kubernetes.pod.status.phase`** -: Kubernetes pod phase (Running, Pending…) +: Kubernetes pod phase (Running, Pending...) type: keyword @@ -2083,13 +2049,11 @@ type: keyword type: double - ## replicaset [_replicaset] kubernetes replica set metrics - -## replicas [_replicas_3] +## replicas [_replicas] Kubernetes replica set paused status @@ -2123,7 +2087,6 @@ type: long type: long - ## resourcequota [_resourcequota] kubernetes resourcequota metrics @@ -2158,8 +2121,7 @@ type: keyword type: keyword - -## service [_service_3] +## service [_service] kubernetes service metrics @@ -2217,7 +2179,6 @@ type: keyword type: date - ## statefulset [_statefulset] kubernetes stateful set metrics @@ -2228,8 +2189,7 @@ kubernetes stateful set metrics type: long - -## replicas [_replicas_4] +## replicas [_replicas] Kubernetes stateful set replicas status @@ -2251,7 +2211,6 @@ type: long type: long - ## generation [_generation] Kubernetes stateful set generation information @@ -2268,7 +2227,6 @@ type: long type: long - ## storageclass [_storageclass] kubernetes storage class metrics @@ -2303,8 +2261,7 @@ type: keyword type: date - -## system [_system_3] +## system [_system] kubernetes system containers metrics @@ -2320,8 +2277,7 @@ type: keyword type: date - -## cpu [_cpu_9] +## cpu [_cpu] CPU usage metrics @@ -2373,7 +2329,6 @@ type: double type: double - ## volume [_volume] kubernetes volume metrics diff --git a/docs/reference/metricbeat/exported-fields-kvm.md b/docs/reference/metricbeat/exported-fields-kvm.md index c02920daa77b..a89790a44152 100644 --- a/docs/reference/metricbeat/exported-fields-kvm.md +++ b/docs/reference/metricbeat/exported-fields-kvm.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-kvm.html --- +% This file is generated! See scripts/generate_fields_docs.py + # KVM fields [exported-fields-kvm] kvm module @@ -19,16 +21,15 @@ type: long type: keyword - ## kvm [_kvm] + ## dommemstat [_dommemstat] dommemstat - -## stat [_stat_2] +## stat [_stat] Memory stat @@ -56,8 +57,7 @@ type: long type: keyword - -## status [_status_5] +## status [_status] status diff --git a/docs/reference/metricbeat/exported-fields-linux.md b/docs/reference/metricbeat/exported-fields-linux.md index 324f983de475..c90de197df7d 100644 --- a/docs/reference/metricbeat/exported-fields-linux.md +++ b/docs/reference/metricbeat/exported-fields-linux.md @@ -3,22 +3,21 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-linux.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Linux fields [exported-fields-linux] linux module - ## linux [_linux] linux system metrics - ## conntrack [_conntrack] conntrack - -## summary [_summary_5] +## summary [_summary] summary of nf_conntrack statistics, summed across CPU cores @@ -70,7 +69,6 @@ type: long type: long - ## iostat [_iostat] iostat @@ -157,13 +155,11 @@ type: float type: float - ## ksm [_ksm] ksm - -## stats [_stats_6] +## stats [_stats] KSM statistics @@ -203,12 +199,10 @@ type: long type: long - -## memory [_memory_8] +## memory [_memory] Linux memory data - ## page_stats [_page_stats] memory page statistics @@ -269,7 +263,6 @@ type: scaled_float format: percent - ## hugepages [_hugepages] This group contains statistics related to huge pages usage on the system. @@ -330,8 +323,7 @@ type: long format: bytes - -## swap [_swap_2] +## swap [_swap] This group contains statistics related to the swap memory usage on the system. @@ -391,18 +383,15 @@ type: long type: long - ## pageinfo [_pageinfo] pageinfo - ## buddy_info [_buddy_info] Data from /proc/buddyinfo grouping used pages by order - -## DMA [_dma] +## DMA [_DMA] DMA page Data @@ -478,7 +467,6 @@ type: long type: object - ## pressure [_pressure] Linux pressure stall information metrics for cpu, memory, and io @@ -633,7 +621,6 @@ format: percent type: long - ## rapl [_rapl] Wattage as reported by Intel RAPL diff --git a/docs/reference/metricbeat/exported-fields-logstash.md b/docs/reference/metricbeat/exported-fields-logstash.md index 1397796d7938..e38910f17c7c 100644 --- a/docs/reference/metricbeat/exported-fields-logstash.md +++ b/docs/reference/metricbeat/exported-fields-logstash.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-logstash.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Logstash fields [exported-fields-logstash] Logstash module @@ -141,13 +143,11 @@ alias to: logstash.node.state.pipeline.hash : type: keyword - -## node [_node_6] +## node [_node] node - -## node [_node_7] +## node [_node] node_stats metrics. @@ -211,8 +211,7 @@ type: alias alias to: service.version - -## jvm [_jvm_3] +## jvm [_jvm] JVM Info @@ -246,8 +245,7 @@ alias to: process.pid : type: long - -## events [_events_2] +## events [_events] Events stats diff --git a/docs/reference/metricbeat/exported-fields-memcached.md b/docs/reference/metricbeat/exported-fields-memcached.md index 3c579956990c..fe72472e5695 100644 --- a/docs/reference/metricbeat/exported-fields-memcached.md +++ b/docs/reference/metricbeat/exported-fields-memcached.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-memcached.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Memcached fields [exported-fields-memcached] Memcached module - ## memcached [_memcached] -## stats [_stats_7] + +## stats [_stats] stats @@ -82,7 +84,7 @@ type: long **`memcached.stats.items.current`** -: Number of items currently in this server’s cache. +: Number of items currently in this server's cache. type: long @@ -94,7 +96,7 @@ type: long **`memcached.stats.evictions`** -: Number of objects removed from the cache to free up memory for new items because Memcached reached it’s maximum memory setting (limit_maxbytes). +: Number of objects removed from the cache to free up memory for new items because Memcached reached it's maximum memory setting (limit_maxbytes). type: long @@ -111,9 +113,3 @@ type: long type: long -$$$exported-fields-meraki$$$ - -**`meraki.device.serial`** -: type: keyword - - diff --git a/docs/reference/metricbeat/exported-fields-meraki.md b/docs/reference/metricbeat/exported-fields-meraki.md new file mode 100644 index 000000000000..a933d94ad932 --- /dev/null +++ b/docs/reference/metricbeat/exported-fields-meraki.md @@ -0,0 +1,15 @@ +--- +mapped_pages: + - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-meraki.html +--- + +% This file is generated! See scripts/generate_fields_docs.py + +# Cisco Meraki fields [exported-fields-meraki] + +meraki + +**`meraki.device.serial`** +: type: keyword + + diff --git a/docs/reference/metricbeat/exported-fields-mongodb.md b/docs/reference/metricbeat/exported-fields-mongodb.md index c9932548e87d..3168efef1061 100644 --- a/docs/reference/metricbeat/exported-fields-mongodb.md +++ b/docs/reference/metricbeat/exported-fields-mongodb.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-mongodb.html --- +% This file is generated! See scripts/generate_fields_docs.py + # MongoDB fields [exported-fields-mongodb] Metrics collected from MongoDB servers. - ## mongodb [_mongodb] MongoDB metrics. - ## collstats [_collstats] MongoDB collection statistics metrics. @@ -191,7 +191,6 @@ type: long type: long - ## dbstats [_dbstats] dbstats provides an overview of a particular mongo database. This document is most concerned with data volumes of a database. @@ -268,15 +267,14 @@ format: bytes format: bytes +## metrics [_metrics] -## metrics [_metrics_9] - -Statistics that reflect the current use and state of a running `mongod` instance for more information, take a look at [https://docs.mongodb.com/manual/reference/command/serverStatus/#serverstatus.metrics](https://docs.mongodb.com/manual/reference/command/serverStatus/#serverstatus.metrics) - +Statistics that reflect the current use and state of a running `mongod` instance for more information, take a look at https://docs.mongodb.com/manual/reference/command/serverStatus/#serverstatus.metrics ## commands [_commands] -Reports on the use of database commands. The fields in metrics.commands are the names of database commands and each value is a document that reports the total number of commands executed as well as the number of failed executions. metrics.commands..failed shows the number of times failed on this mongod. metrics.commands..total shows the number of times executed on this mongod. +Reports on the use of database commands. The fields in metrics.commands are the names of database commands and each value is a document that reports the total number of commands executed as well as the number of failed executions. +metrics.commands..failed shows the number of times failed on this mongod. metrics.commands..total shows the number of times executed on this mongod. **`mongodb.metrics.commands.is_self.failed`** : type: long @@ -518,7 +516,6 @@ Reports on the use of database commands. The fields in metrics.commands are the : type: long - ## cursor [_cursor] Contains data regarding cursor state and use. @@ -529,7 +526,6 @@ Contains data regarding cursor state and use. type: long - ## open [_open] Contains data regarding open cursors. @@ -552,7 +548,6 @@ type: long type: long - ## document [_document] Reflects document access and modification patterns. @@ -581,7 +576,6 @@ type: long type: long - ## get_last_error [_get_last_error] Returns the error status of the preceding write operation on the current connection. @@ -604,7 +598,6 @@ type: long type: long - ## operation [_operation] Holds counters for several types of update and query operations that MongoDB handles using special operation types. @@ -621,7 +614,6 @@ type: long type: long - ## query_executor [_query_executor] Reports data from the query execution system. @@ -638,11 +630,9 @@ type: long type: long - ## replication [_replication] -Reports metrics related to the replication process. metrics.replication appears on all mongod instances, even those that aren’t members of replica sets. - +Reports metrics related to the replication process. metrics.replication appears on all mongod instances, even those that aren't members of replica sets. ## executor [_executor] @@ -728,7 +718,6 @@ Reports on various statistics for the replication executor. : type: keyword - ## apply [_apply] Reports on the application of operations from the replication oplog. @@ -737,7 +726,6 @@ Reports on the application of operations from the replication oplog. : type: long - ## batches [_batches] Reports on the oplog application process on secondaries members of replica sets. @@ -760,7 +748,6 @@ type: long type: long - ## buffer [_buffer] MongoDB buffers oplog operations from the replication sync source buffer before applying oplog entries in a batch. metrics.replication.buffer provides a way to track the oplog buffer. @@ -783,7 +770,6 @@ type: long type: long - ## initial_sync [_initial_sync] Report initial sync status @@ -800,8 +786,7 @@ Report initial sync status : type: long - -## network [_network_8] +## network [_network] Reports network use by the replication process. @@ -811,7 +796,6 @@ Reports network use by the replication process. type: long - ## getmores [_getmores] Reports on the getmore operations, which are requests for additional results from the oplog cursor as part of the oplog replication process. @@ -840,12 +824,10 @@ type: long type: long - ## preload [_preload] Reports on the `pre-fetch` stage, where MongoDB loads documents and indexes into RAM to improve replication throughput. - ## docs [_docs] Reports on the documents loaded into memory during the pre-fetch stage. @@ -860,7 +842,6 @@ type: long : type: long - ## indexes [_indexes] Reports on the index items loaded into memory during the pre-fetch stage of replication. @@ -895,8 +876,7 @@ type: long type: long - -## ttl [_ttl_2] +## ttl [_ttl] Reports on the operation of the resource use of the ttl index process. @@ -912,12 +892,10 @@ type: long type: long - ## replstatus [_replstatus] replstatus provides an overview of replica set status. - ## oplog [_oplog] oplog provides an overview of replication oplog status, which is retrieved from db.getReplicationInfo(). @@ -986,7 +964,6 @@ type: long type: long - ## lag [_lag] Delay between a write operation on the primary and its copy to a secondary @@ -1007,13 +984,12 @@ type: long format: duration - ## headroom [_headroom] -Difference between the primary’s oplog window and the replication lag of the secondary +Difference between the primary's oplog window and the replication lag of the secondary **`mongodb.replstatus.headroom.max`** -: Difference between primary’s oplog window and the replication lag of the fastest secondary +: Difference between primary's oplog window and the replication lag of the fastest secondary type: long @@ -1021,14 +997,13 @@ format: duration **`mongodb.replstatus.headroom.min`** -: Difference between primary’s oplog window and the replication lag of the slowest secondary +: Difference between primary's oplog window and the replication lag of the slowest secondary type: long format: duration - ## members [_members] Provides information about members of replica set grouped by their state @@ -1145,8 +1120,7 @@ type: keyword type: long - -## status [_status_6] +## status [_status] MongoDB server status metrics. @@ -1208,8 +1182,7 @@ type: long type: long - -## connections [_connections_3] +## connections [_connections] Data regarding the current status of incoming connections and availability of the database server. @@ -1231,7 +1204,6 @@ type: long type: long - ## extra_info [_extra_info] Platform specific data. @@ -1245,12 +1217,11 @@ format: bytes **`mongodb.status.extra_info.page_faults`** -: The total number of page faults that require disk operations. Page faults refer to operations that require the database server to access data that isn’t available in active memory. +: The total number of page faults that require disk operations. Page faults refer to operations that require the database server to access data that isn't available in active memory. type: long - ## global_lock [_global_lock] Reports on lock state of the database. @@ -1261,7 +1232,6 @@ Reports on lock state of the database. type: long - ## current_queue [_current_queue] The number of operations queued because of a lock. @@ -1284,7 +1254,6 @@ type: long type: long - ## active_clients [_active_clients] The number of connected clients and the read and write operations performed by these clients. @@ -1307,10 +1276,10 @@ type: long type: long - ## locks [_locks] -A document that reports for each lock , data on lock s. The possible lock s are global, database, collection, metadata and oplog. The possible s are r, w, R and W which respresent shared, exclusive, intent shared and intent exclusive. locks..acquire.count. shows the number of times the lock was acquired in the specified mode. locks..wait.count. shows the number of times the locks.acquireCount lock acquisitions encountered waits because the locks were held in a conflicting mode. locks..wait.us. shows the cumulative wait time in microseconds for the lock acquisitions. locks..deadlock.count. shows the number of times the lock acquisitions encountered deadlocks. +A document that reports for each lock , data on lock s. The possible lock s are global, database, collection, metadata and oplog. The possible s are r, w, R and W which respresent shared, exclusive, intent shared and intent exclusive. +locks..acquire.count. shows the number of times the lock was acquired in the specified mode. locks..wait.count. shows the number of times the locks.acquireCount lock acquisitions encountered waits because the locks were held in a conflicting mode. locks..wait.us. shows the cumulative wait time in microseconds for the lock acquisitions. locks..deadlock.count. shows the number of times the lock acquisitions encountered deadlocks. **`mongodb.status.locks.global.acquire.count.r`** : type: long @@ -1632,8 +1601,7 @@ A document that reports for each lock , data on lock s. The possible : type: long - -## network [_network_9] +## network [_network] Platform specific data. @@ -1659,8 +1627,7 @@ format: bytes type: long - -## ops.latencies [_ops_latencies] +## ops.latencies [_ops.latencies] Operation latencies for the database as a whole. Only mongod instances report this metric. @@ -1700,8 +1667,7 @@ type: long type: long - -## ops.counters [_ops_counters] +## ops.counters [_ops.counters] An overview of database operations by type. @@ -1741,8 +1707,7 @@ type: long type: long - -## ops.replicated [_ops_replicated] +## ops.replicated [_ops.replicated] An overview of database replication operations by type. @@ -1782,8 +1747,7 @@ type: long type: long - -## memory [_memory_9] +## memory [_memory] Data about the current memory usage of the mongod server. @@ -1829,12 +1793,10 @@ type: boolean type: keyword - ## wired_tiger [_wired_tiger] Statistics about the WiredTiger storage engine. - ## concurrent_transactions [_concurrent_transactions] Statistics about the transactions currently in progress. @@ -1875,8 +1837,7 @@ type: long type: long - -## cache [_cache_2] +## cache [_cache] Statistics about the cache and page evictions from the cache. @@ -1922,8 +1883,7 @@ type: long type: long - -## log [_log_2] +## log [_log] Statistics about the write ahead log used by WiredTiger. @@ -1975,7 +1935,6 @@ type: long type: long - ## background_flushing [_background_flushing] Data about the process MongoDB uses to write data to disk. This data is only available for instances that use the MMAPv1 storage engine. @@ -2010,7 +1969,6 @@ type: long type: date - ## journaling [_journaling] Data about the journaling-related operations and performance. Journaling information only appears for mongod instances that use the MMAPv1 storage engine and have journaling enabled. @@ -2051,7 +2009,6 @@ type: long type: long - ## times [_times] Information about the performance of the mongod instance during the various phases of journaling in the last journal group commit interval. diff --git a/docs/reference/metricbeat/exported-fields-mssql.md b/docs/reference/metricbeat/exported-fields-mssql.md index 208b43627b29..dfff5984eebb 100644 --- a/docs/reference/metricbeat/exported-fields-mssql.md +++ b/docs/reference/metricbeat/exported-fields-mssql.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-mssql.html --- +% This file is generated! See scripts/generate_fields_docs.py + # MSSQL fields [exported-fields-mssql] MS SQL module - ## mssql [_mssql] The root field containing all MSSQL fields - ## database [_database] The database that the metrics is being referred to @@ -29,8 +29,7 @@ type: long type: keyword - -## performance [_performance_3] +## performance [_performance] performance metricset fetches information about the Performance Counters @@ -100,7 +99,6 @@ type: long type: long - ## cache_hit [_cache_hit] Indicates the percentage of pages found in the buffer cache without having to read from disk. @@ -111,7 +109,6 @@ Indicates the percentage of pages found in the buffer cache without having to re type: double - ## page_life_expectancy [_page_life_expectancy] Indicates the number of seconds a page will stay in the buffer pool without references. @@ -140,17 +137,14 @@ type: long type: long - -## transaction_log [_transaction_log_2] +## transaction_log [_transaction_log] transaction_log metricset will fetch information about the operation and transaction log of each database from a MSSQL instance - ## space_usage [_space_usage] Space usage information for the transaction log - ## since_last_backup [_since_last_backup] The amount of space used since the last log backup @@ -161,8 +155,7 @@ The amount of space used since the last log backup type: long - -## total [_total_2] +## total [_total] The size of the log @@ -172,7 +165,6 @@ The size of the log type: long - ## used [_used] The occupied size of the log @@ -189,12 +181,10 @@ type: long type: float - -## stats [_stats_8] +## stats [_stats] Returns summary level attributes and information on transaction log files of databases. Use this information for monitoring and diagnostics of transaction log health. - ## active_size [_active_size] Total active transaction log size. @@ -211,7 +201,6 @@ type: long type: date - ## recovery_size [_recovery_size] Log size since log recovery log sequence number (LSN). @@ -222,7 +211,6 @@ Log size since log recovery log sequence number (LSN). type: long - ## since_last_checkpoint [_since_last_checkpoint] Log size since last checkpoint log sequence number (LSN). @@ -233,7 +221,6 @@ Log size since last checkpoint log sequence number (LSN). type: long - ## total_size [_total_size] Total transaction log size. diff --git a/docs/reference/metricbeat/exported-fields-munin.md b/docs/reference/metricbeat/exported-fields-munin.md index 7799314a41c1..ce5d843b1e47 100644 --- a/docs/reference/metricbeat/exported-fields-munin.md +++ b/docs/reference/metricbeat/exported-fields-munin.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-munin.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Munin fields [exported-fields-munin] Munin node metrics exporter diff --git a/docs/reference/metricbeat/exported-fields-mysql.md b/docs/reference/metricbeat/exported-fields-mysql.md index 2d58d538e977..f4e68d4014e3 100644 --- a/docs/reference/metricbeat/exported-fields-mysql.md +++ b/docs/reference/metricbeat/exported-fields-mysql.md @@ -3,22 +3,21 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-mysql.html --- +% This file is generated! See scripts/generate_fields_docs.py + # MySQL fields [exported-fields-mysql] MySQL server status metrics collected from MySQL. - ## mysql [_mysql] `mysql` contains the metrics that were obtained from MySQL query. - ## galera_status [_galera_status] `galera_status` contains the metrics that were obtained by the status SQL query on Galera. - -## apply [_apply_2] +## apply [_apply] Apply status fields. @@ -29,7 +28,7 @@ type: double **`mysql.galera_status.apply.oool`** -: How often write-set was so slow to apply that write-set with higher seqno’s were applied earlier. Values closer to 0 refer to a greater gap between slow and fast write-sets. +: How often write-set was so slow to apply that write-set with higher seqno's were applied earlier. Values closer to 0 refer to a greater gap between slow and fast write-sets. type: double @@ -40,7 +39,6 @@ type: double type: double - ## cert [_cert] Certification status fields. @@ -63,8 +61,7 @@ type: long type: double - -## cluster [_cluster_2] +## cluster [_cluster] Cluster status fields. @@ -86,8 +83,7 @@ type: long type: keyword - -## commit [_commit_3] +## commit [_commit] Commit status fields. @@ -109,13 +105,12 @@ type: long type: keyword - ## evs [_evs] Evs Fields. **`mysql.galera_status.evs.evict`** -: Lists the UUID’s of all nodes evicted from the cluster. Evicted nodes cannot rejoin the cluster until you restart their mysqld processes. +: Lists the UUID's of all nodes evicted from the cluster. Evicted nodes cannot rejoin the cluster until you restart their mysqld processes. type: keyword @@ -126,7 +121,6 @@ type: keyword type: keyword - ## flow_ctl [_flow_ctl] Flow Control fields. @@ -161,7 +155,6 @@ type: long type: long - ## local [_local] Node specific Cluster status fields. @@ -184,7 +177,6 @@ type: long type: long - ## recv [_recv] Node specific recv fields. @@ -219,7 +211,6 @@ type: long type: long - ## send [_send] Node specific sent fields. @@ -260,7 +251,6 @@ type: keyword type: keyword - ## received [_received] Write-Set receive status fields. @@ -277,7 +267,6 @@ type: long type: long - ## repl [_repl] Replication status fields. @@ -318,12 +307,10 @@ type: long type: long - -## performance [_performance_4] +## performance [_performance] `performance` contains metrics related to the performance of a MySQL instance - ## events_statements [_events_statements] Records statement events summarized by schema and digest @@ -370,7 +357,6 @@ type: long type: keyword - ## table_io_waits [_table_io_waits] Records table I/O waits by index @@ -399,17 +385,14 @@ type: keyword type: long - -## query [_query_2] +## query [_query] `query` metricset fetches custom queries from the user to a MySQL instance. - -## status [_status_7] +## status [_status] `status` contains the metrics that were obtained by the status SQL query. - ## aborted [_aborted] Aborted status fields. @@ -426,12 +409,14 @@ type: long type: long +## connection [_connection] -## connection [_connection_2] ## errors [_errors] + + **`mysql.status.connection.errors.peer_address`** : The number of errors that occurred while searching for connecting client IP addresses. @@ -468,11 +453,11 @@ type: long type: long +## cache [_cache] -## cache [_cache_3] -## ssl [_ssl_8] +## ssl [_ssl] SSL session cache hits and misses. @@ -494,12 +479,14 @@ type: long type: long - ## table [_table] + ## open_cache [_open_cache] + + **`mysql.status.cache.table.open_cache.hits`** : The number of hits for open tables cache lookups. @@ -518,9 +505,10 @@ type: long type: long - ## binlog [_binlog] + + **`mysql.status.binlog.cache.disk_use`** : type: long @@ -529,7 +517,6 @@ type: long : type: long - ## bytes [_bytes] Bytes stats. @@ -550,8 +537,7 @@ type: long format: bytes - -## threads [_threads_2] +## threads [_threads] Threads stats. @@ -583,9 +569,10 @@ type: long : type: long - ## created [_created] + + **`mysql.status.created.tmp.disk_tables`** : type: long @@ -598,9 +585,10 @@ type: long : type: long - ## delayed [_delayed] + + **`mysql.status.delayed.errors`** : type: long @@ -621,8 +609,9 @@ type: long : type: long +## open [_open] + -## open [_open_2] **`mysql.status.open.files`** : type: long @@ -640,9 +629,10 @@ type: long : type: long - ## command [_command] + + **`mysql.status.command.delete`** : The number of DELETE queries since startup. @@ -679,9 +669,10 @@ type: long type: long - ## handler [_handler] + + **`mysql.status.handler.commit`** : The number of internal COMMIT statements. @@ -701,7 +692,7 @@ type: long **`mysql.status.handler.mrr_init`** -: The number of times the server uses a storage engine’s own Multi-Range Read implementation for table access. +: The number of times the server uses a storage engine's own Multi-Range Read implementation for table access. type: long @@ -712,8 +703,9 @@ type: long type: long +## read [_read] + -## read [_read_6] **`mysql.status.handler.read.first`** : The number of times the first entry in an index was read. @@ -787,12 +779,14 @@ type: long type: long - ## innodb [_innodb] + ## rows [_rows] + + **`mysql.status.innodb.rows.reads`** : The number of rows reads into InnoDB tables. @@ -817,9 +811,10 @@ type: long type: long - ## buffer_pool [_buffer_pool] + + **`mysql.status.innodb.buffer_pool.dump_status`** : The progress of an operation to record the pages held in the InnoDB buffer pool, triggered by the setting of innodb_buffer_pool_dump_at_shutdown or innodb_buffer_pool_dump_now. @@ -832,8 +827,9 @@ type: long type: long +## bytes [_bytes] + -## bytes [_bytes_2] **`mysql.status.innodb.buffer_pool.bytes.data`** : The total number of bytes in the InnoDB buffer pool containing data. @@ -847,9 +843,10 @@ type: long type: long - ## pages [_pages] + + **`mysql.status.innodb.buffer_pool.pages.data`** : The number of pages in the InnoDB buffer pool containing data. @@ -892,8 +889,9 @@ type: long type: long +## read [_read] + -## read [_read_7] **`mysql.status.innodb.buffer_pool.read.ahead`** : The number of pages read into the InnoDB buffer pool by the read-ahead background thread. @@ -919,8 +917,9 @@ type: long type: long +## pool [_pool] + -## pool [_pool_2] **`mysql.status.innodb.buffer_pool.pool.reads`** : The number of logical reads that InnoDB could not satisfy from the buffer pool, and had to read directly from disk. diff --git a/docs/reference/metricbeat/exported-fields-nats.md b/docs/reference/metricbeat/exported-fields-nats.md index 170b6291bd31..969de275a70c 100644 --- a/docs/reference/metricbeat/exported-fields-nats.md +++ b/docs/reference/metricbeat/exported-fields-nats.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-nats.html --- +% This file is generated! See scripts/generate_fields_docs.py + # NATS fields [exported-fields-nats] nats Module - ## nats [_nats] `nats` contains statistics that were read from Nats @@ -19,17 +20,14 @@ type: keyword **`nats.server.time`** -: :::{admonition} Deprecated in 8.0.0 - The `nats.server.time` field was deprecated in 8.0.0. - ::: +: Server time of metric creation -Server time of metric creation +{applies_to}`product: deprecated 8.0.0` type: date - -## connection [_connection_3] +## connection [_connection] Contains nats connection related metrics @@ -69,8 +67,7 @@ type: long format: duration - -## in [_in_2] +## in [_in] The amount of incoming data @@ -88,8 +85,7 @@ type: long format: bytes - -## out [_out_2] +## out [_out] The amount of outgoing data @@ -107,8 +103,7 @@ type: long format: bytes - -## connections [_connections_4] +## connections [_connections] Contains nats connection related metrics @@ -118,7 +113,6 @@ Contains nats connection related metrics type: integer - ## route [_route] Contains nats route related metrics @@ -153,8 +147,7 @@ type: integer type: ip - -## in [_in_3] +## in [_in] The amount of incoming data @@ -172,8 +165,7 @@ type: long format: bytes - -## out [_out_3] +## out [_out] The amount of outgoing data @@ -191,7 +183,6 @@ type: long format: bytes - ## routes [_routes] Contains nats route related metrics @@ -202,8 +193,7 @@ Contains nats route related metrics type: integer - -## stats [_stats_9] +## stats [_stats] Contains nats var related metrics @@ -249,8 +239,7 @@ type: long type: integer - -## in [_in_4] +## in [_in] The amount of incoming data @@ -268,8 +257,7 @@ type: long format: bytes - -## out [_out_4] +## out [_out] The amount of outgoing data @@ -293,17 +281,14 @@ format: bytes type: long - -## http [_http_5] +## http [_http] The http metrics of NATS server - ## req_stats [_req_stats] The requests statistics - ## uri [_uri] The request distribution on monitoring URIS @@ -338,7 +323,6 @@ type: long type: long - ## subscriptions [_subscriptions] Contains nats subscriptions related metrics diff --git a/docs/reference/metricbeat/exported-fields-nginx.md b/docs/reference/metricbeat/exported-fields-nginx.md index 5ee22d09a571..5a398376d082 100644 --- a/docs/reference/metricbeat/exported-fields-nginx.md +++ b/docs/reference/metricbeat/exported-fields-nginx.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-nginx.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Nginx fields [exported-fields-nginx] Nginx server status metrics collected from various modules. - ## nginx [_nginx] `nginx` contains the metrics that were scraped from nginx. - ## stubstatus [_stubstatus] `stubstatus` contains the metrics that were scraped from the ngx_http_stub_status_module status page. diff --git a/docs/reference/metricbeat/exported-fields-openai.md b/docs/reference/metricbeat/exported-fields-openai.md index 37695e7b8219..cb15057cb7aa 100644 --- a/docs/reference/metricbeat/exported-fields-openai.md +++ b/docs/reference/metricbeat/exported-fields-openai.md @@ -1,19 +1,19 @@ --- mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-openai.html - # That link will 404 until 8.18 is current - # (see https://www.elastic.co/guide/en/beats/metricbeat/8.18/exported-fields-openai.html) --- +% This file is generated! See scripts/generate_fields_docs.py + # openai fields [exported-fields-openai] openai module - ## openai [_openai] -## usage [_usage_14] + +## usage [_usage] OpenAI API usage metrics and statistics @@ -65,8 +65,7 @@ type: keyword type: keyword - -## data [_data_2] +## data [_data] General usage data metrics @@ -118,7 +117,6 @@ type: keyword type: keyword - ## dalle [_dalle] DALL-E API usage metrics @@ -159,7 +157,6 @@ type: keyword type: keyword - ## whisper [_whisper] Whisper API usage metrics @@ -188,7 +185,6 @@ type: long type: keyword - ## tts [_tts] Text-to-Speech API usage metrics @@ -217,7 +213,6 @@ type: long type: keyword - ## ft_data [_ft_data] Fine-tuning data metrics @@ -228,7 +223,6 @@ Fine-tuning data metrics type: object - ## assistant_code_interpreter [_assistant_code_interpreter] Assistant Code Interpreter usage metrics @@ -239,7 +233,6 @@ Assistant Code Interpreter usage metrics type: object - ## retrieval_storage [_retrieval_storage] Retrieval storage usage metrics diff --git a/docs/reference/metricbeat/exported-fields-openmetrics.md b/docs/reference/metricbeat/exported-fields-openmetrics.md index b04d237f2bb0..f973992c7ca7 100644 --- a/docs/reference/metricbeat/exported-fields-openmetrics.md +++ b/docs/reference/metricbeat/exported-fields-openmetrics.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-openmetrics.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Openmetrics fields [exported-fields-openmetrics] Openmetrics module - ## openmetrics [_openmetrics] `openmetrics` contains metrics from endpoints that are following Openmetrics format. diff --git a/docs/reference/metricbeat/exported-fields-oracle.md b/docs/reference/metricbeat/exported-fields-oracle.md index e3057836b4e9..391f2519ac5b 100644 --- a/docs/reference/metricbeat/exported-fields-oracle.md +++ b/docs/reference/metricbeat/exported-fields-oracle.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-oracle.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Oracle fields [exported-fields-oracle] Oracle database module - ## oracle [_oracle] Oracle module - -## performance [_performance_5] +## performance [_performance] Performance related metrics on a single database instance @@ -42,19 +42,18 @@ type: double **`oracle.performance.lock_requests`** -: Average of the ratio between *gethits* and *gets* being *Gethits* the number of times an object’s handle was found in memory and *gets* the number of times a lock was requested for objects of this namespace. +: Average of the ratio between 'gethits' and 'gets' being 'Gethits' the number of times an object's handle was found in memory and 'gets' the number of times a lock was requested for objects of this namespace. type: long **`oracle.performance.pin_requests`** -: Average of all pinhits/pins ratios being *PinHits* the number of times all of the metadata pieces of the library object were found in memory and *pins* the number of times a PIN was requested for objects of this namespace +: Average of all pinhits/pins ratios being 'PinHits' the number of times all of the metadata pieces of the library object were found in memory and 'pins' the number of times a PIN was requested for objects of this namespace type: double - -## cache [_cache_4] +## cache [_cache] Statistics about all buffer pools available for the instance @@ -70,10 +69,9 @@ type: double type: long - ## get [_get] -Buffer pool *get* statistics +Buffer pool 'get' statistics **`oracle.performance.cache.get.consistent`** : Consistent gets statistic @@ -87,7 +85,6 @@ type: long type: long - ## cursors [_cursors] Cursors information @@ -110,7 +107,6 @@ type: double type: double - ## opened [_opened] Opened cursors statistic @@ -127,7 +123,6 @@ type: long type: long - ## parse [_parse] Parses statistic information that occured in the current session @@ -156,8 +151,7 @@ type: long type: double - -## sysmetric [_sysmetric_2] +## sysmetric [_sysmetric] Sysmetric related metrics. @@ -251,7 +245,6 @@ type: double type: double - ## tablespace [_tablespace] tablespace @@ -262,7 +255,6 @@ tablespace type: keyword - ## data_file [_data_file] Database files information @@ -279,8 +271,7 @@ type: long type: keyword - -## size [_size_3] +## size [_size] Size information about the file @@ -309,7 +300,7 @@ format: bytes **`oracle.tablespace.data_file.status`** -: *File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped)* +: 'File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped)' type: keyword @@ -320,7 +311,6 @@ type: keyword type: keyword - ## space [_space] Tablespace space usage information diff --git a/docs/reference/metricbeat/exported-fields-panw.md b/docs/reference/metricbeat/exported-fields-panw.md index 9f8ad3e84004..2b06b95c7b51 100644 --- a/docs/reference/metricbeat/exported-fields-panw.md +++ b/docs/reference/metricbeat/exported-fields-panw.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-panw.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Panw fields [exported-fields-panw] PAN-OS module - ## panw [_panw] PAN-OS module diff --git a/docs/reference/metricbeat/exported-fields-php_fpm.md b/docs/reference/metricbeat/exported-fields-php_fpm.md index b26a687f8656..9f96ecbecde8 100644 --- a/docs/reference/metricbeat/exported-fields-php_fpm.md +++ b/docs/reference/metricbeat/exported-fields-php_fpm.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-php_fpm.html --- +% This file is generated! See scripts/generate_fields_docs.py + # PHP_FPM fields [exported-fields-php_fpm] PHP-FPM server status metrics collected from PHP-FPM. - ## php_fpm [_php_fpm] `php_fpm` contains the metrics that were obtained from PHP-FPM status page call. - -## pool [_pool_3] +## pool [_pool] `pool` contains the metrics that were obtained from the PHP-FPM process pool. @@ -23,8 +23,7 @@ PHP-FPM server status metrics collected from PHP-FPM. type: keyword - -## pool [_pool_4] +## pool [_pool] `pool` contains the metrics that were obtained from the PHP-FPM process pool. @@ -34,8 +33,7 @@ type: keyword type: keyword - -## connections [_connections_5] +## connections [_connections] Connection state specific statistics. @@ -63,7 +61,6 @@ type: long type: long - ## processes [_processes] Process state specific statistics. @@ -93,7 +90,7 @@ type: long **`php_fpm.pool.processes.max_children_reached`** -: Number of times, the process limit has been reached, when pm tries to start more children (works only for pm *dynamic* and *ondemand*). +: Number of times, the process limit has been reached, when pm tries to start more children (works only for pm 'dynamic' and 'ondemand'). type: long @@ -116,8 +113,7 @@ type: long type: date - -## process [_process_7] +## process [_process] process contains the metrics that were obtained from the PHP-FPM process. @@ -198,13 +194,13 @@ type: keyword **`php_fpm.process.last_request_cpu`** -: The CPU percentage the last request consumed. It’s always 0 if the process is not in Idle state because CPU calculation is done when the request processing has terminated +: The CPU percentage the last request consumed. It's always 0 if the process is not in Idle state because CPU calculation is done when the request processing has terminated type: long **`php_fpm.process.last_request_memory`** -: The max amount of memory the last request consumed. It’s always 0 if the process is not in Idle state because memory calculation is done when the request processing has terminated +: The max amount of memory the last request consumed. It's always 0 if the process is not in Idle state because memory calculation is done when the request processing has terminated type: integer diff --git a/docs/reference/metricbeat/exported-fields-postgresql.md b/docs/reference/metricbeat/exported-fields-postgresql.md index bdb13a4984ca..89eeb0e9507c 100644 --- a/docs/reference/metricbeat/exported-fields-postgresql.md +++ b/docs/reference/metricbeat/exported-fields-postgresql.md @@ -3,16 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-postgresql.html --- +% This file is generated! See scripts/generate_fields_docs.py + # PostgreSQL fields [exported-fields-postgresql] Metrics collected from PostgreSQL servers. - ## postgresql [_postgresql] PostgreSQL metrics. - ## activity [_activity] One document per server process, showing information related to the current activity of that process, such as state and current query. Collected by querying pg_stat_activity. @@ -98,18 +98,11 @@ type: boolean **`postgresql.activity.state`** -: Current overall state of this backend. Possible values are: - -* active: The backend is executing a query. -* idle: The backend is waiting for a new client command. -* idle in transaction: The backend is in a transaction, but is not currently executing a query. -* idle in transaction (aborted): This state is similar to idle in transaction, except one of the statements in the transaction caused an error. -* fastpath function call: The backend is executing a fast-path function. -* disabled: This state is reported if track_activities is disabled in this backend. +: Current overall state of this backend. Possible values are: * active: The backend is executing a query. * idle: The backend is waiting for a new client command. * idle in transaction: The backend is in a transaction, but is not currently executing a query. * idle in transaction (aborted): This state is similar to idle in transaction, except one of the statements in the transaction caused an error. * fastpath function call: The backend is executing a fast-path function. * disabled: This state is reported if track_activities is disabled in this backend. **`postgresql.activity.query`** -: Text of this backend’s most recent query. If state is active this field shows the currently executing query. In all other states, it shows the last query that was executed. +: Text of this backend's most recent query. If state is active this field shows the currently executing query. In all other states, it shows the last query that was executed. **`postgresql.activity.wait_event`** @@ -120,10 +113,9 @@ type: boolean : The type of event for which the backend is waiting. - ## bgwriter [_bgwriter] -Statistics about the background writer process’s activity. Collected using the pg_stat_bgwriter query. +Statistics about the background writer process's activity. Collected using the pg_stat_bgwriter query. **`postgresql.bgwriter.checkpoints.scheduled`** : Number of scheduled checkpoints that have been performed. @@ -191,8 +183,7 @@ type: long type: date - -## database [_database_2] +## database [_database] One row per database, showing database-wide statistics. Collected by querying pg_stat_database @@ -233,7 +224,7 @@ type: long **`postgresql.database.blocks.hit`** -: Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system’s file system cache). +: Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache). type: long @@ -310,7 +301,6 @@ type: long type: date - ## statement [_statement] One document per query per user per database, showing information related invocation of that query, such as cpu usage and total time. Collected by querying pg_stat_statements. diff --git a/docs/reference/metricbeat/exported-fields-process.md b/docs/reference/metricbeat/exported-fields-process.md index c1d1a224216c..2e606fa2d1c9 100644 --- a/docs/reference/metricbeat/exported-fields-process.md +++ b/docs/reference/metricbeat/exported-fields-process.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-process.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Process fields [exported-fields-process] Process metadata fields @@ -13,8 +15,7 @@ Process metadata fields alias to: process.executable - -## owner [_owner_2] +## owner [_owner] Process owner information. diff --git a/docs/reference/metricbeat/exported-fields-prometheus-xpack.md b/docs/reference/metricbeat/exported-fields-prometheus-xpack.md index a55f5b671107..1c8520cc60e3 100644 --- a/docs/reference/metricbeat/exported-fields-prometheus-xpack.md +++ b/docs/reference/metricbeat/exported-fields-prometheus-xpack.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-prometheus-xpack.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Prometheus typed metrics fields [exported-fields-prometheus-xpack] Stats scraped from a Prometheus endpoint. diff --git a/docs/reference/metricbeat/exported-fields-prometheus.md b/docs/reference/metricbeat/exported-fields-prometheus.md index 3e1944dbbcf6..b3d1e19a87bb 100644 --- a/docs/reference/metricbeat/exported-fields-prometheus.md +++ b/docs/reference/metricbeat/exported-fields-prometheus.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-prometheus.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Prometheus fields [exported-fields-prometheus] Stats scraped from a Prometheus endpoint. @@ -31,12 +33,10 @@ type: object type: object - -## query [_query_3] +## query [_query] query metricset - ## remote_write [_remote_write] remote write metrics from Prometheus server diff --git a/docs/reference/metricbeat/exported-fields-rabbitmq.md b/docs/reference/metricbeat/exported-fields-rabbitmq.md index 580a2241447b..f78d7d07a99e 100644 --- a/docs/reference/metricbeat/exported-fields-rabbitmq.md +++ b/docs/reference/metricbeat/exported-fields-rabbitmq.md @@ -3,21 +3,23 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-rabbitmq.html --- +% This file is generated! See scripts/generate_fields_docs.py + # RabbitMQ fields [exported-fields-rabbitmq] RabbitMQ module - ## rabbitmq [_rabbitmq] + + **`rabbitmq.vhost`** : Virtual host name with non-ASCII characters escaped as in C. type: keyword - -## connection [_connection_4] +## connection [_connection] connection @@ -143,7 +145,6 @@ type: long type: keyword - ## exchange [_exchange] exchange @@ -212,8 +213,7 @@ type: long type: float - -## node [_node_8] +## node [_node] node @@ -451,8 +451,7 @@ type: keyword type: long - -## queue [_queue_9] +## queue [_queue] queue @@ -497,7 +496,7 @@ alias to: rabbitmq.node.name **`rabbitmq.queue.state`** -: The state of the queue. Normally *running*, but may be "{syncing, MsgCount}" if the queue is synchronising. Queues which are located on cluster nodes that are currently down will be shown with a status of *down*. +: The state of the queue. Normally 'running', but may be "{syncing, MsgCount}" if the queue is synchronising. Queues which are located on cluster nodes that are currently down will be shown with a status of 'down'. type: keyword @@ -584,7 +583,6 @@ type: long type: long - ## shovel [_shovel] shovel @@ -612,13 +610,13 @@ alias to: rabbitmq.node.name **`rabbitmq.shovel.state`** -: The state of the shovel. Normally *running*, but could be *starting* or *terminated*. +: The state of the shovel. Normally 'running', but could be 'starting' or 'terminated'. type: keyword **`rabbitmq.shovel.type`** -: The type of the shovel. Either *static* or *dynamic*. +: The type of the shovel. Either 'static' or 'dynamic'. type: keyword diff --git a/docs/reference/metricbeat/exported-fields-redis.md b/docs/reference/metricbeat/exported-fields-redis.md index 3f4b6e51c014..0825ac7794b2 100644 --- a/docs/reference/metricbeat/exported-fields-redis.md +++ b/docs/reference/metricbeat/exported-fields-redis.md @@ -3,21 +3,20 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-redis.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Redis fields [exported-fields-redis] Redis metrics collected from Redis. - ## redis [_redis] `redis` contains the information and statistics from Redis. - -## info [_info_6] +## info [_info] `info` contains the information and statistics returned by the `INFO` command. - ## clients [_clients] Redis client stats. @@ -46,8 +45,7 @@ type: long type: long - -## cluster [_cluster_3] +## cluster [_cluster] Redis cluster information. @@ -57,8 +55,7 @@ Redis cluster information. type: boolean - -## cpu [_cpu_10] +## cpu [_cpu] Redis CPU stats @@ -86,8 +83,7 @@ type: scaled_float type: scaled_float - -## memory [_memory_10] +## memory [_memory] Redis memory stats. @@ -223,7 +219,6 @@ type: long format: bytes - ## persistence [_persistence] Redis CPU stats. @@ -234,7 +229,6 @@ Redis CPU stats. type: boolean - ## rdb [_rdb] Provides information about RDB persistence @@ -287,7 +281,6 @@ type: long format: bytes - ## aof [_aof] Provides information about AOF persitence @@ -390,8 +383,7 @@ type: long type: long - -## replication [_replication_2] +## replication [_replication] Replication @@ -434,7 +426,7 @@ type: long **`redis.info.replication.master.offset`** -: The server’s current replication offset +: The server's current replication offset type: long @@ -499,8 +491,7 @@ type: long type: boolean - -## server [_server_9] +## server [_server] Server info @@ -606,8 +597,7 @@ type: long type: keyword - -## stats [_stats_10] +## stats [_stats] Redis stats. @@ -648,13 +638,13 @@ type: long **`redis.info.stats.instantaneous.input_kbps`** -: The network’s read rate per second in KB/sec +: The network's read rate per second in KB/sec type: scaled_float **`redis.info.stats.instantaneous.output_kbps`** -: The network’s write rate per second in KB/sec +: The network's write rate per second in KB/sec type: scaled_float @@ -761,7 +751,6 @@ type: long type: long - ## commandstats [_commandstats] Redis command statistics @@ -796,8 +785,7 @@ type: long type: long - -## key [_key_2] +## key [_key] `key` contains information about keys. @@ -831,7 +819,6 @@ type: long type: long - ## keyspace [_keyspace] `keyspace` contains the information about the keyspaces returned by the `INFO` command. diff --git a/docs/reference/metricbeat/exported-fields-redisenterprise.md b/docs/reference/metricbeat/exported-fields-redisenterprise.md index a131fb0cefc3..3e9126e613a1 100644 --- a/docs/reference/metricbeat/exported-fields-redisenterprise.md +++ b/docs/reference/metricbeat/exported-fields-redisenterprise.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-redisenterprise.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Redis Enterprise fields [exported-fields-redisenterprise] Redis metrics collected from Redis Enterprise Server. - ## redisenterprise [_redisenterprise] `redisenterprise` contains the information and statistics from Redis Enterprise Server. diff --git a/docs/reference/metricbeat/exported-fields-sql.md b/docs/reference/metricbeat/exported-fields-sql.md index f8a2f5955faa..6abe717fd02d 100644 --- a/docs/reference/metricbeat/exported-fields-sql.md +++ b/docs/reference/metricbeat/exported-fields-sql.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-sql.html --- +% This file is generated! See scripts/generate_fields_docs.py + # SQL fields [exported-fields-sql] SQL module fetches metrics from a SQL database diff --git a/docs/reference/metricbeat/exported-fields-stan.md b/docs/reference/metricbeat/exported-fields-stan.md index d698ba934d31..f49e74cac8fd 100644 --- a/docs/reference/metricbeat/exported-fields-stan.md +++ b/docs/reference/metricbeat/exported-fields-stan.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-stan.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Stan fields [exported-fields-stan] stan Module - ## stan [_stan] `stan` contains statistics that were read from Nats Streaming server (STAN) @@ -24,7 +25,6 @@ type: keyword type: keyword - ## channels [_channels] Contains stan / nats streaming/serverz endpoint metrics @@ -65,8 +65,7 @@ type: long type: long - -## stats [_stats_11] +## stats [_stats] Contains only high-level stan / nats streaming server related metrics @@ -112,8 +111,7 @@ type: long type: long - -## subscriptions [_subscriptions_2] +## subscriptions [_subscriptions] Contains stan / nats streaming/serverz endpoint subscription metrics diff --git a/docs/reference/metricbeat/exported-fields-statsd.md b/docs/reference/metricbeat/exported-fields-statsd.md index 1cf413573f8a..96ac381ea51d 100644 --- a/docs/reference/metricbeat/exported-fields-statsd.md +++ b/docs/reference/metricbeat/exported-fields-statsd.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-statsd.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Statsd fields [exported-fields-statsd] Statsd module diff --git a/docs/reference/metricbeat/exported-fields-syncgateway.md b/docs/reference/metricbeat/exported-fields-syncgateway.md index 888b51e8c734..3f1ebc05a496 100644 --- a/docs/reference/metricbeat/exported-fields-syncgateway.md +++ b/docs/reference/metricbeat/exported-fields-syncgateway.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-syncgateway.html --- +% This file is generated! See scripts/generate_fields_docs.py + # SyncGateway fields [exported-fields-syncgateway] SyncGateway metrics - ## syncgateway [_syncgateway] `syncgateway` contains the information and statistics from SyncGateway. - -## syncgateway [_syncgateway_2] +## syncgateway [_syncgateway] Couchbase Sync Gateway metrics. @@ -23,8 +23,7 @@ Couchbase Sync Gateway metrics. type: keyword - -## metrics [_metrics_10] +## metrics [_metrics] Metrics of all databases contained in the config file of the SyncGateway instance. @@ -300,7 +299,6 @@ type: long : type: double - ## memstats [_memstats] Dumps a large amount of information about the memory heap and garbage collector @@ -421,8 +419,7 @@ Dumps a large amount of information about the memory heap and garbage collector : type: double - -## memory [_memory_11] +## memory [_memory] SyncGateway memory metrics. It dumps a large amount of information about the memory heap and garbage collector @@ -542,13 +539,11 @@ SyncGateway memory metrics. It dumps a large amount of information about the mem : type: double - -## replication [_replication_3] +## replication [_replication] SyncGateway per replication metrics. - -## metrics [_metrics_11] +## metrics [_metrics] Metrics related with data replication. @@ -588,7 +583,6 @@ type: long type: keyword - ## resources [_resources] SyncGateway global resource utilization diff --git a/docs/reference/metricbeat/exported-fields-system.md b/docs/reference/metricbeat/exported-fields-system.md index a5045b932fb5..6839e70b6250 100644 --- a/docs/reference/metricbeat/exported-fields-system.md +++ b/docs/reference/metricbeat/exported-fields-system.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-system.html --- +% This file is generated! See scripts/generate_fields_docs.py + # System fields [exported-fields-system] System status metrics, like CPU and memory usage, that are collected from the operating system. - -## process [_process_8] +## process [_process] Process metrics. @@ -40,13 +41,11 @@ type: scaled_float format: percent - -## system [_system_4] +## system [_system] `system` contains local system metrics. - -## core [_core_2] +## core [_core] `system-core` contains CPU metrics for a single core of a multi-core system. @@ -206,8 +205,7 @@ type: keyword type: keyword - -## cpu [_cpu_11] +## cpu [_cpu] `cpu` contains local CPU stats. @@ -409,8 +407,7 @@ type: long type: long - -## diskio [_diskio_4] +## diskio [_diskio] `disk` contains disk IO metrics collected from the operating system. @@ -423,7 +420,7 @@ example: sda1 **`system.diskio.serial_number`** -: The disk’s serial number. This may not be provided by all operating systems. +: The disk's serial number. This may not be provided by all operating systems. type: keyword @@ -480,8 +477,7 @@ type: long type: long - -## entropy [_entropy_2] +## entropy [_entropy] Available system entropy @@ -499,8 +495,7 @@ type: scaled_float format: percent - -## filesystem [_filesystem_3] +## filesystem [_filesystem] `filesystem` contains local filesystem stats. @@ -580,8 +575,7 @@ type: scaled_float format: percent - -## fsstat [_fsstat_2] +## fsstat [_fsstat] `system.fsstat` contains filesystem metrics aggregated from all mounted filesystems. @@ -597,8 +591,7 @@ type: long type: long - -## total_size [_total_size_2] +## total_size [_total_size] Nested file system docs. @@ -626,8 +619,7 @@ type: long format: bytes - -## load [_load_3] +## load [_load] CPU load averages. @@ -673,8 +665,7 @@ type: scaled_float type: long - -## memory [_memory_12] +## memory [_memory] `memory` contains local memory stats. @@ -718,7 +709,6 @@ type: scaled_float format: percent - ## actual [_actual] Actual memory used and free. @@ -747,8 +737,7 @@ type: scaled_float format: percent - -## swap [_swap_3] +## swap [_swap] This group contains statistics related to the swap memory usage on the system. @@ -784,8 +773,7 @@ type: scaled_float format: percent - -## network [_network_10] +## network [_network] `network` contains network IO metrics for a single network interface. @@ -849,8 +837,7 @@ type: long type: long - -## network_summary [_network_summary_2] +## network_summary [_network_summary] Metrics relating to global network activity @@ -884,8 +871,7 @@ type: object type: object - -## process [_process_9] +## process [_process] `process` contains process metadata, CPU metrics, and memory metrics. @@ -949,8 +935,7 @@ alias to: process.working_directory type: object - -## cpu [_cpu_12] +## cpu [_cpu] CPU-specific statistics per process. @@ -1000,8 +985,7 @@ type: long type: date - -## memory [_memory_13] +## memory [_memory] Memory-specific statistics per process. @@ -1037,7 +1021,6 @@ type: long format: bytes - ## io [_io] Disk I/O Metrics, as forwarded from /proc/[PID]/io. Available on Linux only. @@ -1084,7 +1067,6 @@ type: long type: long - ## fd [_fd] File descriptor usage metrics. This set of metrics is available for Linux and FreeBSD. @@ -1107,19 +1089,18 @@ type: long type: long - ## cgroup [_cgroup] Metrics and limits from the cgroup of which the task is a member. cgroup metrics are reported when the process has membership in a non-root cgroup. These metrics are only available on Linux. **`system.process.cgroup.id`** -: The ID common to all cgroups associated with this task. If there isn’t a common ID used by all cgroups this field will be absent. +: The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. type: keyword **`system.process.cgroup.path`** -: The path to the cgroup relative to the cgroup subsystem’s mountpoint. If there isn’t a common path used by all cgroups this field will be absent. +: The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. type: keyword @@ -1130,8 +1111,7 @@ type: keyword type: long - -## cpu [_cpu_13] +## cpu [_cpu] The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period. In CPU under cgroups V2, the cgroup is merged with many of the metrics from cpuacct. In addition, per-scheduler metrics are gone in V2. @@ -1142,13 +1122,12 @@ type: keyword **`system.process.cgroup.cpu.path`** -: Path to the cgroup relative to the cgroup subsystem’s mountpoint. +: Path to the cgroup relative to the cgroup subsystem's mountpoint. type: keyword - -## stats [_stats_12] +## stats [_stats] cgroupv2 stats @@ -1207,7 +1186,7 @@ type: float **`system.process.cgroup.cpu.cfs.period.us`** -: Period of time in microseconds for how regularly a cgroup’s access to CPU resources should be reallocated. +: Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. type: long @@ -1225,7 +1204,7 @@ type: long **`system.process.cgroup.cpu.rt.period.us`** -: Period of time in microseconds for how regularly a cgroup’s access to CPU resources is reallocated. +: Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. type: long @@ -1260,12 +1239,10 @@ type: long type: long - -## pressure [_pressure_2] +## pressure [_pressure] Pressure (resource contention) stats. - ## some [_some] Share of time in which at least some tasks are stalled on a given resource @@ -1302,7 +1279,6 @@ type: long format: percent - ## full [_full] Share of time in which all non-idle tasks are stalled on a given resource simultaneously @@ -1337,7 +1313,6 @@ format: percent type: long - ## cpuacct [_cpuacct] CPU accounting metrics. @@ -1349,7 +1324,7 @@ type: keyword **`system.process.cgroup.cpuacct.path`** -: Path to the cgroup relative to the cgroup subsystem’s mountpoint. +: Path to the cgroup relative to the cgroup subsystem's mountpoint. type: keyword @@ -1414,8 +1389,7 @@ type: scaled_float type: object - -## memory [_memory_14] +## memory [_memory] Memory limits and metrics. @@ -1426,7 +1400,7 @@ type: keyword **`system.process.cgroup.memory.path`** -: Path to the cgroup relative to the cgroup subsystem’s mountpoint. +: Path to the cgroup relative to the cgroup subsystem's mountpoint. type: keyword @@ -1485,8 +1459,7 @@ type: long format: bytes - -## mem.events [_mem_events] +## mem.events [_mem.events] number of times the controller tripped a given usage level @@ -1580,8 +1553,7 @@ format: bytes type: long - -## memsw.events [_memsw_events] +## memsw.events [_memsw.events] number of times the controller tripped a given usage level @@ -1813,8 +1785,7 @@ type: long format: bytes - -## blkio [_blkio_2] +## blkio [_blkio] Block IO metrics. @@ -1844,8 +1815,7 @@ format: bytes type: long - -## io [_io_2] +## io [_io] cgroup V2 IO Metrics, replacing blkio. @@ -1883,13 +1853,11 @@ type: object type: object - -## pressure [_pressure_3] +## pressure [_pressure] Pressure (resource contention) stats. - -## full [_full_2] +## full [_full] Share of time in which at least some tasks are stalled on a given resource @@ -1923,8 +1891,7 @@ format: percent type: long - -## some [_some_2] +## some [_some] Share of time in which all tasks are stalled on a given resource @@ -1956,8 +1923,7 @@ type: float type: long - -## process.summary [_process_summary_2] +## process.summary [_process.summary] Summary metrics for the processes running on the host. @@ -1998,7 +1964,7 @@ type: long **`system.process.summary.dead`** -: Number of dead processes on this host. It’s very unlikely that it will appear but in some special situations it may happen. +: Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. type: long @@ -2022,13 +1988,12 @@ type: long **`system.process.summary.unknown`** -: Number of processes for which the state couldn’t be retrieved or is unknown. +: Number of processes for which the state couldn't be retrieved or is unknown. type: long - -## threads [_threads_3] +## threads [_threads] Counts of individual threads on a system. @@ -2044,8 +2009,7 @@ type: long type: long - -## raid [_raid_2] +## raid [_raid] raid @@ -2115,8 +2079,7 @@ type: long type: long - -## service [_service_4] +## service [_service] metrics for system services @@ -2151,7 +2114,7 @@ type: date **`system.service.exec_code`** -: The SIGCHLD code from the service’s main process +: The SIGCHLD code from the service's main process type: keyword @@ -2168,8 +2131,7 @@ type: keyword type: keyword - -## resources [_resources_2] +## resources [_resources] system metrics associated with the service @@ -2191,8 +2153,7 @@ type: long type: long - -## network [_network_11] +## network [_network] network resource usage @@ -2224,8 +2185,7 @@ type: long type: long - -## socket [_socket_2] +## socket [_socket] TCP sockets that are active. @@ -2282,7 +2242,7 @@ example: 76-211-117-36.nw.example.com. **`system.socket.remote.etld_plus_one`** -: The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from [http://publicsuffix.org](http://publicsuffix.org). +: The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. type: keyword @@ -2331,12 +2291,10 @@ alias to: user.id alias to: user.full_name - -## socket.summary [_socket_summary_2] +## socket.summary [_socket.summary] Summary metrics of open sockets in the host system - ## all [_all] All connections @@ -2353,7 +2311,6 @@ type: integer type: integer - ## tcp [_tcp] All TCP connections @@ -2366,8 +2323,7 @@ type: integer format: bytes - -## all [_all_2] +## all [_all] All TCP connections @@ -2396,54 +2352,53 @@ type: integer **`system.socket.summary.tcp.all.close_wait`** -: Number of TCP connections in *close_wait* state +: Number of TCP connections in _close_wait_ state type: integer **`system.socket.summary.tcp.all.time_wait`** -: Number of TCP connections in *time_wait* state +: Number of TCP connections in _time_wait_ state type: integer **`system.socket.summary.tcp.all.syn_sent`** -: Number of TCP connections in *syn_sent* state +: Number of TCP connections in _syn_sent_ state type: integer **`system.socket.summary.tcp.all.syn_recv`** -: Number of TCP connections in *syn_recv* state +: Number of TCP connections in _syn_recv_ state type: integer **`system.socket.summary.tcp.all.fin_wait1`** -: Number of TCP connections in *fin_wait1* state +: Number of TCP connections in _fin_wait1_ state type: integer **`system.socket.summary.tcp.all.fin_wait2`** -: Number of TCP connections in *fin_wait2* state +: Number of TCP connections in _fin_wait2_ state type: integer **`system.socket.summary.tcp.all.last_ack`** -: Number of TCP connections in *last_ack* state +: Number of TCP connections in _last_ack_ state type: integer **`system.socket.summary.tcp.all.closing`** -: Number of TCP connections in *closing* state +: Number of TCP connections in _closing_ state type: integer - ## udp [_udp] All UDP connections @@ -2456,8 +2411,7 @@ type: integer format: bytes - -## all [_all_3] +## all [_all] All UDP connections @@ -2467,8 +2421,7 @@ All UDP connections type: integer - -## uptime [_uptime_3] +## uptime [_uptime] `uptime` contains the operating system uptime metric. @@ -2480,7 +2433,6 @@ type: long format: duration - ## users [_users] Logged-in user session data diff --git a/docs/reference/metricbeat/exported-fields-tomcat.md b/docs/reference/metricbeat/exported-fields-tomcat.md index 64145e8341a5..f3e4878cc3c8 100644 --- a/docs/reference/metricbeat/exported-fields-tomcat.md +++ b/docs/reference/metricbeat/exported-fields-tomcat.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-tomcat.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Tomcat fields [exported-fields-tomcat] Tomcat module - -## cache [_cache_5] +## cache [_cache] Catalina Cache metrics from the WebResourceRoot @@ -48,8 +49,7 @@ type: long type: long - -## memory [_memory_15] +## memory [_memory] Memory metrics from java.lang JMX @@ -107,8 +107,7 @@ type: long type: long - -## requests [_requests_2] +## requests [_requests] Requests processor metrics from GlobalRequestProcessor JMX @@ -148,10 +147,9 @@ type: long type: long - ## threading [_threading] -Threading metrics from the Catalina’s ThreadPool JMX +Threading metrics from the Catalina's ThreadPool JMX **`tomcat.threading.busy`** : Current busy threads from the ThreadPool diff --git a/docs/reference/metricbeat/exported-fields-traefik.md b/docs/reference/metricbeat/exported-fields-traefik.md index 422ec05f2872..a1840d704e5d 100644 --- a/docs/reference/metricbeat/exported-fields-traefik.md +++ b/docs/reference/metricbeat/exported-fields-traefik.md @@ -3,19 +3,19 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-traefik.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Traefik fields [exported-fields-traefik] Traefik reverse proxy / load balancer metrics - ## traefik [_traefik] Traefik reverse proxy / load balancer metrics +## health [_health] -## health [_health_2] - -Metrics obtained from Traefik’s health API endpoint +Metrics obtained from Traefik's health API endpoint **`traefik.health.uptime.sec`** : Uptime of Traefik instance in seconds @@ -23,8 +23,7 @@ Metrics obtained from Traefik’s health API endpoint type: long - -## response [_response_2] +## response [_response] Response metrics diff --git a/docs/reference/metricbeat/exported-fields-uwsgi.md b/docs/reference/metricbeat/exported-fields-uwsgi.md index badc2d5785fe..e9117d49c561 100644 --- a/docs/reference/metricbeat/exported-fields-uwsgi.md +++ b/docs/reference/metricbeat/exported-fields-uwsgi.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-uwsgi.html --- +% This file is generated! See scripts/generate_fields_docs.py + # uWSGI fields [exported-fields-uwsgi] uwsgi module - ## uwsgi [_uwsgi] -## status [_status_8] + +## status [_status] uwsgi.status metricset fields diff --git a/docs/reference/metricbeat/exported-fields-vsphere.md b/docs/reference/metricbeat/exported-fields-vsphere.md index f4b4847cf880..e8089917bf11 100644 --- a/docs/reference/metricbeat/exported-fields-vsphere.md +++ b/docs/reference/metricbeat/exported-fields-vsphere.md @@ -3,15 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-vsphere.html --- +% This file is generated! See scripts/generate_fields_docs.py + # vSphere fields [exported-fields-vsphere] vSphere module - ## vsphere [_vsphere] -## cluster [_cluster_4] + +## cluster [_cluster] Cluster information. @@ -81,7 +83,6 @@ type: keyword type: object - ## datastore [_datastore] datastore @@ -212,7 +213,6 @@ type: long format: bytes - ## datastorecluster [_datastorecluster] Datastore Cluster @@ -263,8 +263,7 @@ type: long type: object - -## host [_host_2] +## host [_host] Host information from vSphere environment. @@ -516,8 +515,7 @@ type: keyword type: long - -## network [_network_12] +## network [_network] Network-related information. @@ -587,7 +585,6 @@ type: long type: object - ## resourcepool [_resourcepool] Resource pool information from vSphere environment. @@ -671,7 +668,7 @@ format: bytes **`vsphere.resourcepool.memory.swapped.bytes`** -: The portion of memory, in bytes, that is granted to a virtual machine from the host’s swap space. +: The portion of memory, in bytes, that is granted to a virtual machine from the host's swap space. type: long @@ -740,7 +737,6 @@ type: keyword type: object - ## virtualmachine [_virtualmachine] virtualmachine @@ -793,6 +789,12 @@ type: long type: long +**`vsphere.virtualmachine.cpu.usage.percent`** +: CPU usage as a percentage. + +type: scaled_float + + **`vsphere.virtualmachine.memory.used.guest.bytes`** : Used memory of Guest in bytes. @@ -825,6 +827,12 @@ type: long format: bytes +**`vsphere.virtualmachine.memory.usage.percent`** +: Memory usage as percent of total configured or available memory. + +type: scaled_float + + **`vsphere.virtualmachine.custom_fields`** : Custom fields. @@ -891,3 +899,33 @@ type: long type: object +**`vsphere.virtualmachine.disk.average.bytes`** +: Aggregated disk I/O rate. + +type: long + + +**`vsphere.virtualmachine.disk.read.average.bytes`** +: Rate at which data is read from each virtual disk on the virtual machine. + +type: long + + +**`vsphere.virtualmachine.disk.write.average.bytes`** +: Rate at which data is written to each virtual disk on the virtual machine. + +type: long + + +**`vsphere.virtualmachine.disk.numberRead.count`** +: Number of times data was read. + +type: long + + +**`vsphere.virtualmachine.disk.numberWrite.count`** +: Number of disk writes. + +type: long + + diff --git a/docs/reference/metricbeat/exported-fields-windows.md b/docs/reference/metricbeat/exported-fields-windows.md index ecd6b2a9bc93..8ed8a1d98603 100644 --- a/docs/reference/metricbeat/exported-fields-windows.md +++ b/docs/reference/metricbeat/exported-fields-windows.md @@ -3,14 +3,16 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-windows.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Windows fields [exported-fields-windows] Module for Windows - ## windows [_windows] + ## perfmon [_perfmon] perfmon @@ -27,13 +29,12 @@ type: keyword type: object - -## service [_service_5] +## service [_service] `service` contains the status for Windows services. **`windows.service.id`** -: A unique ID for the service. It is a hash of the machine’s GUID and the service name. +: A unique ID for the service. It is a hash of the machine's GUID and the service name. type: keyword @@ -99,15 +100,10 @@ example: 1092 **`windows.service.uptime.ms`** -: The service’s uptime specified in milliseconds. +: The service's uptime specified in milliseconds. type: long format: duration - -## wmi [_wmi] - -wmi - diff --git a/docs/reference/metricbeat/exported-fields-zookeeper.md b/docs/reference/metricbeat/exported-fields-zookeeper.md index 7bc6400d647d..e145a076d4da 100644 --- a/docs/reference/metricbeat/exported-fields-zookeeper.md +++ b/docs/reference/metricbeat/exported-fields-zookeeper.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields-zookeeper.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ZooKeeper fields [exported-fields-zookeeper] ZooKeeper metrics collected by the four-letter monitoring commands. - ## zookeeper [_zookeeper] `zookeeper` contains the metrics reported by ZooKeeper commands. - -## connection [_connection_5] +## connection [_connection] connections @@ -41,7 +41,6 @@ type: long type: long - ## mntr [_mntr] `mntr` contains the metrics reported by the four-letter `mntr` command. @@ -162,8 +161,7 @@ type: long type: long - -## server [_server_10] +## server [_server] server contains the metrics reported by the four-letter `srvr` command. diff --git a/docs/reference/metricbeat/exported-fields.md b/docs/reference/metricbeat/exported-fields.md index cc8fb541868c..df0c8f5cf2f3 100644 --- a/docs/reference/metricbeat/exported-fields.md +++ b/docs/reference/metricbeat/exported-fields.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/metricbeat/current/exported-fields.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Exported fields [exported-fields] This document describes the fields that are exported by Metricbeat. They are grouped in the following categories: @@ -53,7 +55,7 @@ This document describes the fields that are exported by Metricbeat. They are gro * [*Linux fields*](/reference/metricbeat/exported-fields-linux.md) * [*Logstash fields*](/reference/metricbeat/exported-fields-logstash.md) * [*Memcached fields*](/reference/metricbeat/exported-fields-memcached.md) -* [Memcached fields](/reference/metricbeat/exported-fields-memcached.md#exported-fields-meraki) +* [*Cisco Meraki fields*](/reference/metricbeat/exported-fields-meraki.md) * [*MongoDB fields*](/reference/metricbeat/exported-fields-mongodb.md) * [*MSSQL fields*](/reference/metricbeat/exported-fields-mssql.md) * [*Munin fields*](/reference/metricbeat/exported-fields-munin.md) @@ -83,4 +85,3 @@ This document describes the fields that are exported by Metricbeat. They are gro * [*vSphere fields*](/reference/metricbeat/exported-fields-vsphere.md) * [*Windows fields*](/reference/metricbeat/exported-fields-windows.md) * [*ZooKeeper fields*](/reference/metricbeat/exported-fields-zookeeper.md) - diff --git a/docs/reference/metricbeat/metricbeat-metricset-meraki-device_health.md b/docs/reference/metricbeat/metricbeat-metricset-meraki-device_health.md index a496e7cf3eeb..1d4ff1f884c2 100644 --- a/docs/reference/metricbeat/metricbeat-metricset-meraki-device_health.md +++ b/docs/reference/metricbeat/metricbeat-metricset-meraki-device_health.md @@ -14,7 +14,7 @@ This is the device_health metricset of the module meraki. ## Fields [_fields_175] -For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-memcached.md#exported-fields-meraki) section. +For a description of each field in the metricset, see the [exported fields](/reference/metricbeat/exported-fields-meraki.md) section. Here is an example document generated by this metricset: diff --git a/docs/reference/packetbeat/exported-fields-amqp.md b/docs/reference/packetbeat/exported-fields-amqp.md index b50bc432f9b7..50b161b7adeb 100644 --- a/docs/reference/packetbeat/exported-fields-amqp.md +++ b/docs/reference/packetbeat/exported-fields-amqp.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-amqp.html --- +% This file is generated! See scripts/generate_fields_docs.py + # AMQP fields [exported-fields-amqp] AMQP specific event fields. diff --git a/docs/reference/packetbeat/exported-fields-beat-common.md b/docs/reference/packetbeat/exported-fields-beat-common.md index 24f12f1a12c7..a52fa553b52e 100644 --- a/docs/reference/packetbeat/exported-fields-beat-common.md +++ b/docs/reference/packetbeat/exported-fields-beat-common.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-beat-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Beat fields [exported-fields-beat-common] Contains common beat fields available in all event types. diff --git a/docs/reference/packetbeat/exported-fields-cassandra.md b/docs/reference/packetbeat/exported-fields-cassandra.md index 795babd54f77..5f1235898df9 100644 --- a/docs/reference/packetbeat/exported-fields-cassandra.md +++ b/docs/reference/packetbeat/exported-fields-cassandra.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-cassandra.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Cassandra fields [exported-fields-cassandra] Cassandra v4/3 specific event fields. @@ -13,7 +15,6 @@ Cassandra v4/3 specific event fields. alias to: cassandra.no_request - ## cassandra [_cassandra] Information about the Cassandra request and response. @@ -24,13 +25,11 @@ Information about the Cassandra request and response. type: boolean - ## request [_request] Cassandra request. - -## headers [_headers_3] +## headers [_headers] Cassandra request headers. @@ -70,15 +69,13 @@ type: long type: keyword - ## response [_response] Cassandra response. +## headers [_headers] -## headers [_headers_4] - -Cassandra response headers, the structure is as same as request’s header. +Cassandra response headers, the structure is as same as request's header. **`cassandra.response.headers.version`** : The version of the protocol. @@ -110,7 +107,6 @@ type: keyword type: long - ## result [_result] Details about the returned result. @@ -121,7 +117,6 @@ Details about the returned result. type: keyword - ## rows [_rows] Details about the rows. @@ -132,7 +127,6 @@ Details about the rows. type: long - ## meta [_meta] Composed of result metadata. @@ -179,7 +173,6 @@ type: keyword type: keyword - ## schema_change [_schema_change] The result to a schema_change message. @@ -226,7 +219,6 @@ type: keyword type: keyword - ## prepared [_prepared] The result to a PREPARE message. @@ -237,7 +229,6 @@ The result to a PREPARE message. type: keyword - ## req_meta [_req_meta] This describes the request metadata. @@ -278,7 +269,6 @@ type: long type: keyword - ## resp_meta [_resp_meta] This describes the metadata for the result set. @@ -325,7 +315,6 @@ type: keyword type: object - ## authentication [_authentication] Indicates that the server requires authentication, and which authentication mechanism to use. @@ -342,7 +331,6 @@ type: keyword type: keyword - ## event [_event] Event pushed by the server. A client will only receive events for the types it has REGISTERed to. @@ -371,8 +359,7 @@ type: keyword type: long - -## schema_change [_schema_change_2] +## schema_change [_schema_change] The events details related to schema change. @@ -418,7 +405,6 @@ type: keyword type: keyword - ## error [_error] Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. @@ -441,7 +427,6 @@ type: keyword type: keyword - ## details [_details] The details of the error. diff --git a/docs/reference/packetbeat/exported-fields-cloud.md b/docs/reference/packetbeat/exported-fields-cloud.md index 3ec17fc7515f..02b0fded294a 100644 --- a/docs/reference/packetbeat/exported-fields-cloud.md +++ b/docs/reference/packetbeat/exported-fields-cloud.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-cloud.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Cloud provider metadata fields [exported-fields-cloud] Metadata from cloud providers added by the add_cloud_metadata processor. diff --git a/docs/reference/packetbeat/exported-fields-common.md b/docs/reference/packetbeat/exported-fields-common.md index 04eb14a8d401..40c9fdaaa311 100644 --- a/docs/reference/packetbeat/exported-fields-common.md +++ b/docs/reference/packetbeat/exported-fields-common.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Common fields [exported-fields-common] These fields contain data about the environment in which the transaction or flow was captured. diff --git a/docs/reference/packetbeat/exported-fields-dhcpv4.md b/docs/reference/packetbeat/exported-fields-dhcpv4.md index fca55413599c..08337196393c 100644 --- a/docs/reference/packetbeat/exported-fields-dhcpv4.md +++ b/docs/reference/packetbeat/exported-fields-dhcpv4.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-dhcpv4.html --- +% This file is generated! See scripts/generate_fields_docs.py + # DHCPv4 fields [exported-fields-dhcpv4] DHCPv4 event fields @@ -20,7 +22,7 @@ type: long **`dhcpv4.flags`** -: Flags are set by the client to indicate how the DHCP server should its reply — either unicast or broadcast. +: Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. type: keyword @@ -50,7 +52,7 @@ type: ip **`dhcpv4.client_mac`** -: The client’s MAC address (layer two). +: The client's MAC address (layer two). type: keyword @@ -108,7 +110,7 @@ type: ip **`dhcpv4.option.broadcast_address`** -: This option specifies the broadcast address in use on the client’s subnet. +: This option specifies the broadcast address in use on the client's subnet. type: ip @@ -120,7 +122,7 @@ type: long **`dhcpv4.option.class_identifier`** -: This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client’s hardware configuration. +: This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. type: keyword @@ -150,13 +152,13 @@ type: ip **`dhcpv4.option.utc_time_offset_sec`** -: The time offset field specifies the offset of the client’s subnet in seconds from Coordinated Universal Time (UTC). +: The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). type: long **`dhcpv4.option.router`** -: The router option specifies a list of IP addresses for routers on the client’s subnet. +: The router option specifies a list of IP addresses for routers on the client's subnet. type: ip @@ -204,7 +206,7 @@ type: long **`dhcpv4.option.boot_file_name`** -: This option is used to identify a bootfile when the *file* field in the DHCP header has been used for DHCP options. +: This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. type: keyword diff --git a/docs/reference/packetbeat/exported-fields-dns.md b/docs/reference/packetbeat/exported-fields-dns.md index b96ba1e47138..c36f3905a3a8 100644 --- a/docs/reference/packetbeat/exported-fields-dns.md +++ b/docs/reference/packetbeat/exported-fields-dns.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-dns.html --- +% This file is generated! See scripts/generate_fields_docs.py + # DNS fields [exported-fields-dns] DNS-specific event fields. @@ -44,7 +46,7 @@ type: boolean **`dns.question.etld_plus_one`** -: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from [http://publicsuffix.org](http://publicsuffix.org). +: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. example: amazon.co.uk. @@ -144,7 +146,7 @@ example: BADVERS **`dns.opt.udp_size`** -: Requestor’s UDP payload size (in bytes). +: Requestor's UDP payload size (in bytes). type: long diff --git a/docs/reference/packetbeat/exported-fields-docker-processor.md b/docs/reference/packetbeat/exported-fields-docker-processor.md index 294f6c1b7c6d..427d19f43742 100644 --- a/docs/reference/packetbeat/exported-fields-docker-processor.md +++ b/docs/reference/packetbeat/exported-fields-docker-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-docker-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Docker fields [exported-fields-docker-processor] Docker stats collected from Docker. diff --git a/docs/reference/packetbeat/exported-fields-ecs.md b/docs/reference/packetbeat/exported-fields-ecs.md index 78b0ee5f15d0..9cb426360e98 100644 --- a/docs/reference/packetbeat/exported-fields-ecs.md +++ b/docs/reference/packetbeat/exported-fields-ecs.md @@ -3,14 +3,18 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-ecs.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ECS fields [exported-fields-ecs] -This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {{es}}. -This is an exhaustive list, and fields listed here are not necessarily used by Packetbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events. +This is an exhaustive list, and fields listed here are not necessarily used by Packetbeat. +The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. See the [ECS reference](ecs://reference/index.md) for more information. - **`@timestamp`** : Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. @@ -45,10 +49,10 @@ type: keyword example: ["production", "env2"] - ## agent [_agent] -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. **`agent.build.original`** : Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. @@ -98,7 +102,6 @@ type: keyword example: 6.0.0-rc2 - ## as [_as] An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. @@ -123,10 +126,11 @@ example: Google LLC : type: match_only_text - ## client [_client] -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`client.address`** : Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -181,7 +185,7 @@ example: Montreal **`client.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -305,7 +309,7 @@ format: string **`client.registered_domain`** -: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -321,7 +325,7 @@ example: east **`client.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -341,7 +345,7 @@ type: keyword **`client.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -404,7 +408,6 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## cloud [_cloud] Fields related to the cloud or infrastructure the events are coming from. @@ -667,7 +670,6 @@ type: keyword example: lambda - ## code_signature [_code_signature] These fields contain information about binary code signatures. @@ -744,7 +746,6 @@ type: boolean example: true - ## container [_container] Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -823,13 +824,14 @@ type: keyword example: docker - ## data_stream [_data_stream] -The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create). +The data_stream fields take part in defining the new data stream naming scheme. +In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. +An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. **`data_stream.dataset`** -: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters +: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -837,7 +839,7 @@ example: nginx.access **`data_stream.namespace`** -: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters +: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -852,10 +854,10 @@ type: constant_keyword example: logs - ## destination [_destination] -Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`destination.address`** : Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -910,7 +912,7 @@ example: Montreal **`destination.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -1034,7 +1036,7 @@ format: string **`destination.registered_domain`** -: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1050,7 +1052,7 @@ example: east **`destination.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1070,7 +1072,7 @@ type: keyword **`destination.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -1133,12 +1135,14 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## dll [_dll] These fields contain information about code libraries dynamically loaded into processes. -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS **`dll.code_signature.digest_algorithm`** : The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. @@ -1291,7 +1295,7 @@ example: 6.3.9600.17415 **`dll.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -1314,10 +1318,10 @@ type: keyword example: Microsoft® Windows® Operating System - ## dns [_dns] -Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). **`dns.answers`** : An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. @@ -1342,7 +1346,7 @@ example: 10.10.10.10 **`dns.answers.name`** -: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated. +: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. type: keyword @@ -1406,7 +1410,7 @@ example: www.example.com **`dns.question.registered_domain`** -: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1422,7 +1426,7 @@ example: www **`dns.question.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1461,13 +1465,12 @@ type: keyword example: answer - ## ecs [_ecs] Meta-information specific to ECS. **`ecs.version`** -: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events. +: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword @@ -1476,7 +1479,6 @@ example: 1.0.0 required: True - ## elf [_elf] These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -1506,7 +1508,7 @@ example: Intel **`elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -1673,10 +1675,10 @@ type: keyword type: keyword +## error [_error] -## error [_error_2] - -These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. **`error.code`** : Error code describing the error. @@ -1714,10 +1716,10 @@ type: keyword example: java.lang.NullPointerException +## event [_event] -## event [_event_2] - -The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. **`event.action`** : The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. @@ -1728,7 +1730,7 @@ example: user-password-change **`event.agent_id_status`** -: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. +: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. type: keyword @@ -1752,7 +1754,7 @@ example: 4648 **`event.created`** -: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. type: date @@ -1760,7 +1762,7 @@ example: 2016-05-23T08:05:34.857Z **`event.dataset`** -: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. +: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword @@ -1798,7 +1800,7 @@ example: 8a4f500d **`event.ingested`** -: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. type: date @@ -1826,7 +1828,7 @@ example: apache type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 Field is not indexed. @@ -1860,11 +1862,11 @@ example: Terminated an unexpected process type: keyword -example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234) +example: https://system.example.com/event/#0001234 **`event.risk_score`** -: Risk score or priority of the event (e.g. security solutions). Use your system’s original value here. +: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1884,7 +1886,7 @@ format: string **`event.severity`** -: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. +: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. type: long @@ -1900,7 +1902,7 @@ type: date **`event.timezone`** -: This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +: This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). type: keyword @@ -1916,8 +1918,7 @@ type: keyword type: keyword -example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe) - +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe ## faas [_faas] @@ -1953,17 +1954,17 @@ example: 123456789 **`faas.trigger.type`** -: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other +: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other type: keyword example: http - ## file [_file] -A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. **`file.accessed`** : Last time the file was accessed. Note that not all filesystems keep track of access time. @@ -1972,7 +1973,7 @@ type: date **`file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -2112,7 +2113,7 @@ example: Intel **`file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -2350,7 +2351,7 @@ example: 256383 **`file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -2378,7 +2379,7 @@ example: example.png **`file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -2430,7 +2431,7 @@ example: 6.3.9600.17415 **`file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -2504,7 +2505,7 @@ example: Example SHA2 High Assurance Server CA **`file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -2610,7 +2611,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -2626,7 +2627,7 @@ example: shared.global.example.net **`file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -2679,10 +2680,10 @@ type: keyword example: 3 - ## geo [_geo] -Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. **`geo.city_name`** : City name. @@ -2693,7 +2694,7 @@ example: Montreal **`geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -2772,7 +2773,6 @@ type: keyword example: America/Argentina/Buenos_Aires - ## group [_group] The group fields are meant to represent groups that are relevant to the event. @@ -2795,10 +2795,11 @@ type: keyword type: keyword - ## hash [_hash] -The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). +The hash fields represent different bitwise hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). **`hash.md5`** : MD5 hash. @@ -2830,10 +2831,10 @@ type: keyword type: keyword - ## host [_host] -A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. **`host.architecture`** : Operating system architecture. @@ -2862,7 +2863,7 @@ type: long **`host.domain`** -: Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. +: Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword @@ -2878,7 +2879,7 @@ example: Montreal **`host.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3062,7 +3063,7 @@ example: darwin **`host.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3091,7 +3092,6 @@ type: long example: 1325 - ## http [_http] Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3145,7 +3145,7 @@ example: POST **`http.request.mime_type`** -: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients. +: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. type: keyword @@ -3157,7 +3157,7 @@ example: image/gif type: keyword -example: [https://blog.example.com/](https://blog.example.com/) +example: https://blog.example.com/ **`http.response.body.bytes`** @@ -3193,7 +3193,7 @@ format: bytes **`http.response.mime_type`** -: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers. +: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. type: keyword @@ -3218,7 +3218,6 @@ type: keyword example: 1.1 - ## interface [_interface] The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. @@ -3247,13 +3246,14 @@ type: keyword example: eth0 - ## log [_log] -Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. **`log.file.path`** -: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. +: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. type: keyword @@ -3261,7 +3261,7 @@ example: /var/log/fun-times.log **`log.level`** -: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. +: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. type: keyword @@ -3335,7 +3335,7 @@ format: string **`log.syslog.severity.code`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. type: long @@ -3343,20 +3343,20 @@ example: 3 **`log.syslog.severity.name`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword example: Error - ## network [_network] -The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. **`network.application`** -: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. +: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. type: keyword @@ -3374,7 +3374,7 @@ format: bytes **`network.community_id`** -: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec). +: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. type: keyword @@ -3382,9 +3382,7 @@ example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= **`network.direction`** -: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown - -When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. +: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. type: keyword @@ -3400,7 +3398,7 @@ example: 192.1.1.2 **`network.iana_number`** -: IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword @@ -3485,10 +3483,10 @@ type: keyword example: outside - ## observer [_observer] -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. **`observer.egress`** : Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. @@ -3553,7 +3551,7 @@ example: Montreal **`observer.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3763,7 +3761,7 @@ example: darwin **`observer.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3814,7 +3812,6 @@ example: Symantec type: keyword - ## orchestrator [_orchestrator] Fields that describe the resources which container orchestrators manage or act upon. @@ -3885,10 +3882,10 @@ type: keyword example: kubernetes - ## organization [_organization] -The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. **`organization.id`** : Unique identifier for the organization. @@ -3906,7 +3903,6 @@ type: keyword : type: match_only_text - ## os [_os] The OS fields contain information about the operating system. @@ -3960,7 +3956,7 @@ example: darwin **`os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3975,7 +3971,6 @@ type: keyword example: 10.14.1 - ## package [_package] These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. @@ -4027,7 +4022,7 @@ type: date **`package.license`** -: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)). +: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword @@ -4055,7 +4050,7 @@ example: /usr/local/Cellar/go/1.12.9/ type: keyword -example: [https://golang.org](https://golang.org) +example: https://golang.org **`package.size`** @@ -4084,7 +4079,6 @@ type: keyword example: 1.12.9 - ## pe [_pe] These fields contain Windows Portable Executable (PE) metadata. @@ -4122,7 +4116,7 @@ example: 6.3.9600.17415 **`pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -4145,10 +4139,10 @@ type: keyword example: Microsoft® Windows® Operating System +## process [_process] -## process [_process_2] - -These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. **`process.args`** : Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. @@ -4275,7 +4269,7 @@ example: Intel **`process.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4645,7 +4639,7 @@ example: Intel **`process.parent.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4923,7 +4917,7 @@ example: 6.3.9600.17415 **`process.parent.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5053,7 +5047,7 @@ example: 6.3.9600.17415 **`process.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5150,7 +5144,6 @@ example: /home/alice : type: match_only_text - ## registry [_registry] Fields related to Windows Registry operations. @@ -5211,13 +5204,14 @@ type: keyword example: Debugger - ## related [_related] -This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. **`related.hash`** -: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search). +: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). type: keyword @@ -5240,10 +5234,10 @@ type: ip type: keyword - ## rule [_rule] -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. **`rule.author`** : Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. @@ -5294,11 +5288,11 @@ example: BLOCK_DNS_over_TLS **`rule.reference`** -: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. +: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. type: keyword -example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) +example: https://en.wikipedia.org/wiki/DNS_over_TLS **`rule.ruleset`** @@ -5325,10 +5319,11 @@ type: keyword example: 1.1 - ## server [_server] -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`server.address`** : Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5383,7 +5378,7 @@ example: Montreal **`server.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -5507,7 +5502,7 @@ format: string **`server.registered_domain`** -: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -5523,7 +5518,7 @@ example: east **`server.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5543,7 +5538,7 @@ type: keyword **`server.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -5606,10 +5601,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## service [_service] -The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. **`service.address`** : Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). @@ -5652,7 +5647,7 @@ example: elasticsearch-metrics **`service.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5700,7 +5695,7 @@ example: elasticsearch-metrics **`service.origin.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5776,7 +5771,7 @@ example: elasticsearch-metrics **`service.target.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5821,10 +5816,10 @@ type: keyword example: 3.2.4 - ## source [_source] -Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`source.address`** : Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5879,7 +5874,7 @@ example: Montreal **`source.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6003,7 +5998,7 @@ format: string **`source.registered_domain`** -: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -6019,7 +6014,7 @@ example: east **`source.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6039,7 +6034,7 @@ type: keyword **`source.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -6102,10 +6097,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## threat [_threat] -Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). **`threat.enrichments`** : A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -6140,7 +6135,7 @@ example: Google LLC **`threat.enrichments.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -6160,7 +6155,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.enrichments.indicator.file.accessed`** @@ -6170,7 +6165,7 @@ type: date **`threat.enrichments.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -6310,7 +6305,7 @@ example: Intel **`threat.enrichments.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -6548,7 +6543,7 @@ example: 256383 **`threat.enrichments.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -6576,7 +6571,7 @@ example: example.png **`threat.enrichments.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -6628,7 +6623,7 @@ example: 6.3.9600.17415 **`threat.enrichments.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -6702,7 +6697,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -6808,7 +6803,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -6824,7 +6819,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -6894,7 +6889,7 @@ example: Montreal **`threat.enrichments.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6990,7 +6985,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.enrichments.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -7014,7 +7009,7 @@ example: 443 **`threat.enrichments.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -7026,7 +7021,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.enrichments.indicator.registry.data.bytes`** @@ -7102,7 +7097,7 @@ example: 20 **`threat.enrichments.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -7136,7 +7131,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.enrichments.indicator.url.full.text`** @@ -7148,7 +7143,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.enrichments.indicator.url.original.text`** @@ -7184,7 +7179,7 @@ type: keyword **`threat.enrichments.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -7208,7 +7203,7 @@ example: east **`threat.enrichments.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7238,7 +7233,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -7344,7 +7339,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -7360,7 +7355,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -7490,7 +7485,7 @@ example: FIN6 type: keyword -example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/) +example: https://attack.mitre.org/groups/G0037/ **`threat.indicator.as.number`** @@ -7514,7 +7509,7 @@ example: Google LLC **`threat.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -7534,7 +7529,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.indicator.file.accessed`** @@ -7544,7 +7539,7 @@ type: date **`threat.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -7684,7 +7679,7 @@ example: Intel **`threat.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -7922,7 +7917,7 @@ example: 256383 **`threat.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -7950,7 +7945,7 @@ example: example.png **`threat.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -8002,7 +7997,7 @@ example: 6.3.9600.17415 **`threat.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -8076,7 +8071,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8182,7 +8177,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8198,7 +8193,7 @@ example: shared.global.example.net **`threat.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8268,7 +8263,7 @@ example: Montreal **`threat.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -8364,7 +8359,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -8388,7 +8383,7 @@ example: 443 **`threat.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -8400,7 +8395,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.indicator.registry.data.bytes`** @@ -8476,7 +8471,7 @@ example: 20 **`threat.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -8510,7 +8505,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.indicator.url.full.text`** @@ -8522,7 +8517,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.indicator.url.original.text`** @@ -8558,7 +8553,7 @@ type: keyword **`threat.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -8582,7 +8577,7 @@ example: east **`threat.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8612,7 +8607,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8718,7 +8713,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8734,7 +8729,7 @@ example: shared.global.example.net **`threat.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8812,9 +8807,7 @@ example: AdFind **`threat.software.platforms`** -: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows - -While not required, you can use a MITRE ATT&CK® software platforms. +: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows While not required, you can use a MITRE ATT&CK® software platforms. type: keyword @@ -8826,22 +8819,19 @@ example: [ "Windows" ] type: keyword -example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/) +example: https://attack.mitre.org/software/S0552/ **`threat.software.type`** -: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool +: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool While not required, you can use a MITRE ATT&CK® software type. -``` -While not required, you can use a MITRE ATT&CK® software type. -``` type: keyword example: Tool **`threat.tactic.id`** -: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -8849,7 +8839,7 @@ example: TA0002 **`threat.tactic.name`** -: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)) +: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword @@ -8857,15 +8847,15 @@ example: Execution **`threat.tactic.reference`** -: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword -example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) +example: https://attack.mitre.org/tactics/TA0002/ **`threat.technique.id`** -: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8873,7 +8863,7 @@ example: T1059 **`threat.technique.name`** -: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8885,15 +8875,15 @@ example: Command and Scripting Interpreter **`threat.technique.reference`** -: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/) +example: https://attack.mitre.org/techniques/T1059/ **`threat.technique.subtechnique.id`** -: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8901,7 +8891,7 @@ example: T1059.001 **`threat.technique.subtechnique.name`** -: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8913,12 +8903,11 @@ example: PowerShell **`threat.technique.subtechnique.reference`** -: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/) - +example: https://attack.mitre.org/techniques/T1059/001/ ## tls [_tls] @@ -8938,7 +8927,7 @@ example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 type: keyword -example: MII… +example: MII... **`tls.client.certificate_chain`** @@ -8946,7 +8935,7 @@ example: MII… type: keyword -example: ["MII… ", "MII… "] +example: ["MII...", "MII..."] **`tls.client.hash.md5`** @@ -9026,7 +9015,7 @@ example: CN=myclient, OU=Documentation Team, DC=example, DC=com type: keyword -example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "… "] +example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] **`tls.client.x509.alternative_names`** @@ -9046,7 +9035,7 @@ example: Example SHA2 High Assurance Server CA **`tls.client.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9152,7 +9141,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.client.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9168,7 +9157,7 @@ example: shared.global.example.net **`tls.client.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9236,7 +9225,7 @@ type: boolean **`tls.next_protocol`** -: String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case. +: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword @@ -9254,7 +9243,7 @@ type: boolean type: keyword -example: MII… +example: MII... **`tls.server.certificate_chain`** @@ -9262,7 +9251,7 @@ example: MII… type: keyword -example: ["MII… ", "MII… "] +example: ["MII...", "MII..."] **`tls.server.hash.md5`** @@ -9346,7 +9335,7 @@ example: Example SHA2 High Assurance Server CA **`tls.server.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9452,7 +9441,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.server.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9468,7 +9457,7 @@ example: shared.global.example.net **`tls.server.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9561,7 +9550,6 @@ type: keyword example: 00f067aa0ba902b7 - ## url [_url] URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -9593,7 +9581,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`url.full.text`** @@ -9605,7 +9593,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`url.original.text`** @@ -9641,7 +9629,7 @@ type: keyword **`url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -9665,7 +9653,7 @@ example: east **`url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9678,10 +9666,10 @@ example: co.uk type: keyword - ## user [_user] -The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. **`user.changes.domain`** : Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. @@ -9696,7 +9684,7 @@ type: keyword **`user.changes.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9778,7 +9766,7 @@ type: keyword **`user.effective.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9848,7 +9836,7 @@ type: keyword **`user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9924,7 +9912,7 @@ type: keyword **`user.target.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9987,10 +9975,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## user_agent [_user_agent] -The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. **`user_agent.device.name`** : Name of the device. @@ -10069,7 +10057,7 @@ example: darwin **`user_agent.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -10092,10 +10080,12 @@ type: keyword example: 12.0 - ## vlan [_vlan] -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. **`vlan.id`** : VLAN ID as reported by the observer. @@ -10113,13 +10103,12 @@ type: keyword example: outside - ## vulnerability [_vulnerability] The vulnerability fields describe information about a vulnerability that is relevant to an event. **`vulnerability.category`** -: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array. +: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. type: keyword @@ -10127,7 +10116,7 @@ example: ["Firewall"] **`vulnerability.classification`** -: The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/)) +: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword @@ -10135,11 +10124,11 @@ example: CVSS **`vulnerability.description`** -: The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)) +: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword -example: In macOS before 2.12.6, there is a vulnerability in the RPC… +example: In macOS before 2.12.6, there is a vulnerability in the RPC... **`vulnerability.description.text`** @@ -10147,7 +10136,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC… **`vulnerability.enumeration`** -: The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/)) +: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword @@ -10155,7 +10144,7 @@ example: CVE **`vulnerability.id`** -: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id)) +: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] type: keyword @@ -10167,7 +10156,7 @@ example: CVE-2019-00001 type: keyword -example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111) +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 **`vulnerability.report_id`** @@ -10187,7 +10176,7 @@ example: Tenable **`vulnerability.score.base`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) type: float @@ -10195,7 +10184,7 @@ example: 5.5 **`vulnerability.score.environmental`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) type: float @@ -10203,13 +10192,13 @@ example: 5.5 **`vulnerability.score.temporal`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) type: float **`vulnerability.score.version`** -: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword @@ -10217,17 +10206,18 @@ example: 2.0 **`vulnerability.severity`** -: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword example: Critical - ## x509 [_x509] -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. **`x509.alternative_names`** : List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. @@ -10246,7 +10236,7 @@ example: Example SHA2 High Assurance Server CA **`x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -10352,7 +10342,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -10368,7 +10358,7 @@ example: shared.global.example.net **`x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword diff --git a/docs/reference/packetbeat/exported-fields-flows_event.md b/docs/reference/packetbeat/exported-fields-flows_event.md index 0608c649c759..8c92de54f0c3 100644 --- a/docs/reference/packetbeat/exported-fields-flows_event.md +++ b/docs/reference/packetbeat/exported-fields-flows_event.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-flows_event.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Flow Event fields [exported-fields-flows_event] These fields contain data about the flow itself. @@ -18,7 +20,7 @@ type: boolean **`flow.vlan`** -: VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag’s VLAN identifier listed first. +: VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. type: long diff --git a/docs/reference/packetbeat/exported-fields-host-processor.md b/docs/reference/packetbeat/exported-fields-host-processor.md index 58f2cfa6ff42..0d36fe9d4b4b 100644 --- a/docs/reference/packetbeat/exported-fields-host-processor.md +++ b/docs/reference/packetbeat/exported-fields-host-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-host-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Host fields [exported-fields-host-processor] Info collected for the host machine. diff --git a/docs/reference/packetbeat/exported-fields-http.md b/docs/reference/packetbeat/exported-fields-http.md index ae910b3f73c1..ed26bb2d0257 100644 --- a/docs/reference/packetbeat/exported-fields-http.md +++ b/docs/reference/packetbeat/exported-fields-http.md @@ -3,17 +3,17 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-http.html --- +% This file is generated! See scripts/generate_fields_docs.py + # HTTP fields [exported-fields-http] HTTP-specific event fields. - -## http [_http_2] +## http [_http] Information about the HTTP request and response. - -## request [_request_2] +## request [_request] HTTP request @@ -29,8 +29,7 @@ type: object alias to: url.query - -## response [_response_2] +## response [_response] HTTP response diff --git a/docs/reference/packetbeat/exported-fields-icmp.md b/docs/reference/packetbeat/exported-fields-icmp.md index 7da74e5b6196..5387fe901b5c 100644 --- a/docs/reference/packetbeat/exported-fields-icmp.md +++ b/docs/reference/packetbeat/exported-fields-icmp.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-icmp.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ICMP fields [exported-fields-icmp] ICMP specific event fields. diff --git a/docs/reference/packetbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/packetbeat/exported-fields-jolokia-autodiscover.md index 80adea727fe9..cc619f9c32c8 100644 --- a/docs/reference/packetbeat/exported-fields-jolokia-autodiscover.md +++ b/docs/reference/packetbeat/exported-fields-jolokia-autodiscover.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-jolokia-autodiscover.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover] Metadata from Jolokia Discovery added by the jolokia provider. @@ -26,7 +28,7 @@ type: keyword **`jolokia.server.version`** -: The container’s version (if detected). +: The container's version (if detected). type: keyword diff --git a/docs/reference/packetbeat/exported-fields-kubernetes-processor.md b/docs/reference/packetbeat/exported-fields-kubernetes-processor.md index 82cc7754cfb0..a7ca1b62a1e7 100644 --- a/docs/reference/packetbeat/exported-fields-kubernetes-processor.md +++ b/docs/reference/packetbeat/exported-fields-kubernetes-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-kubernetes-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kubernetes fields [exported-fields-kubernetes-processor] Kubernetes metadata added by the kubernetes processor diff --git a/docs/reference/packetbeat/exported-fields-memcache.md b/docs/reference/packetbeat/exported-fields-memcache.md index df7c9a959dd9..d36ce9490288 100644 --- a/docs/reference/packetbeat/exported-fields-memcache.md +++ b/docs/reference/packetbeat/exported-fields-memcache.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-memcache.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Memcache fields [exported-fields-memcache] Memcached-specific event fields @@ -174,25 +176,25 @@ type: long **`memcache.request.raw_args`** -: The text protocol raw arguments for the "stats …" and "lru crawl …" commands. +: The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. type: keyword **`memcache.request.source_class`** -: The source class id in *slab reassign* command. +: The source class id in 'slab reassign' command. type: long **`memcache.request.dest_class`** -: The destination class id in *slab reassign* command. +: The destination class id in 'slab reassign' command. type: long **`memcache.request.automove`** -: The automove mode in the *slab automove* command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. +: The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. type: keyword @@ -216,7 +218,7 @@ type: long **`memcache.request.sleep_us`** -: The sleep setting in microseconds for the *lru_crawler sleep* command. +: The sleep setting in microseconds for the 'lru_crawler sleep' command. type: long diff --git a/docs/reference/packetbeat/exported-fields-mongodb.md b/docs/reference/packetbeat/exported-fields-mongodb.md index 8bd68d908403..0a378f69bdd4 100644 --- a/docs/reference/packetbeat/exported-fields-mongodb.md +++ b/docs/reference/packetbeat/exported-fields-mongodb.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-mongodb.html --- +% This file is generated! See scripts/generate_fields_docs.py + # MongoDb fields [exported-fields-mongodb] MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well. diff --git a/docs/reference/packetbeat/exported-fields-mysql.md b/docs/reference/packetbeat/exported-fields-mysql.md index f6bbcfc02e67..3afb4368ac20 100644 --- a/docs/reference/packetbeat/exported-fields-mysql.md +++ b/docs/reference/packetbeat/exported-fields-mysql.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-mysql.html --- +% This file is generated! See scripts/generate_fields_docs.py + # MySQL fields [exported-fields-mysql] MySQL-specific event fields. @@ -26,7 +28,7 @@ type: long **`mysql.query`** -: The row mysql query as read from the transaction’s request. +: The row mysql query as read from the transaction's request. **`mysql.error_code`** diff --git a/docs/reference/packetbeat/exported-fields-nfs.md b/docs/reference/packetbeat/exported-fields-nfs.md index 64c1e798f6c5..e05cb42454b4 100644 --- a/docs/reference/packetbeat/exported-fields-nfs.md +++ b/docs/reference/packetbeat/exported-fields-nfs.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-nfs.html --- +% This file is generated! See scripts/generate_fields_docs.py + # NFS fields [exported-fields-nfs] NFS v4/3 specific event fields. @@ -31,7 +33,6 @@ type: long : NFS operation reply status. - ## rpc [_rpc] ONC RPC specific event fields. @@ -49,19 +50,19 @@ ONC RPC specific event fields. **`rpc.cred.uid`** -: RPC caller’s user id, in case of auth-unix. +: RPC caller's user id, in case of auth-unix. type: long **`rpc.cred.gid`** -: RPC caller’s group id, in case of auth-unix. +: RPC caller's group id, in case of auth-unix. type: long **`rpc.cred.gids`** -: RPC caller’s secondary group ids, in case of auth-unix. +: RPC caller's secondary group ids, in case of auth-unix. **`rpc.cred.stamp`** @@ -71,7 +72,7 @@ type: long **`rpc.cred.machinename`** -: The name of the caller’s machine. +: The name of the caller's machine. **`rpc.call_size`** diff --git a/docs/reference/packetbeat/exported-fields-pgsql.md b/docs/reference/packetbeat/exported-fields-pgsql.md index 17a0556830d6..ee6fc38fe8ce 100644 --- a/docs/reference/packetbeat/exported-fields-pgsql.md +++ b/docs/reference/packetbeat/exported-fields-pgsql.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-pgsql.html --- +% This file is generated! See scripts/generate_fields_docs.py + # PostgreSQL fields [exported-fields-pgsql] PostgreSQL-specific event fields. diff --git a/docs/reference/packetbeat/exported-fields-process.md b/docs/reference/packetbeat/exported-fields-process.md index a970e1bc49f5..f885eb531ee2 100644 --- a/docs/reference/packetbeat/exported-fields-process.md +++ b/docs/reference/packetbeat/exported-fields-process.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-process.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Process fields [exported-fields-process] Process metadata fields @@ -13,7 +15,6 @@ Process metadata fields alias to: process.executable - ## owner [_owner] Process owner information. diff --git a/docs/reference/packetbeat/exported-fields-raw.md b/docs/reference/packetbeat/exported-fields-raw.md index bad2c6afe066..0a7fdaf945aa 100644 --- a/docs/reference/packetbeat/exported-fields-raw.md +++ b/docs/reference/packetbeat/exported-fields-raw.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-raw.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Raw fields [exported-fields-raw] These fields contain the raw transaction data. diff --git a/docs/reference/packetbeat/exported-fields-redis.md b/docs/reference/packetbeat/exported-fields-redis.md index 50085b8fcb10..a7f69aadcf8b 100644 --- a/docs/reference/packetbeat/exported-fields-redis.md +++ b/docs/reference/packetbeat/exported-fields-redis.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-redis.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Redis fields [exported-fields-redis] Redis-specific event fields. diff --git a/docs/reference/packetbeat/exported-fields-sip.md b/docs/reference/packetbeat/exported-fields-sip.md index 9ec3ffd41314..43c3de933e18 100644 --- a/docs/reference/packetbeat/exported-fields-sip.md +++ b/docs/reference/packetbeat/exported-fields-sip.md @@ -3,11 +3,12 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-sip.html --- +% This file is generated! See scripts/generate_fields_docs.py + # SIP fields [exported-fields-sip] SIP-specific event fields. - ## sip [_sip] Information about SIP traffic. diff --git a/docs/reference/packetbeat/exported-fields-thrift.md b/docs/reference/packetbeat/exported-fields-thrift.md index c774f8f17451..86a4c1f2b6a8 100644 --- a/docs/reference/packetbeat/exported-fields-thrift.md +++ b/docs/reference/packetbeat/exported-fields-thrift.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-thrift.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Thrift-RPC fields [exported-fields-thrift] Thrift-RPC specific event fields. diff --git a/docs/reference/packetbeat/exported-fields-tls_detailed.md b/docs/reference/packetbeat/exported-fields-tls_detailed.md index f28fd5e36bba..65b1c268132f 100644 --- a/docs/reference/packetbeat/exported-fields-tls_detailed.md +++ b/docs/reference/packetbeat/exported-fields-tls_detailed.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-tls_detailed.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Detailed TLS fields [exported-fields-tls_detailed] Detailed TLS-specific event fields. @@ -92,12 +94,11 @@ type: keyword **`tls.detailed.client_hello.supported_compression_methods`** -: The list of compression methods the client supports. See [https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml](https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml) +: The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml type: keyword - ## extensions [_extensions] The hello extensions provided by the client. @@ -144,7 +145,6 @@ type: keyword type: keyword - ## status_request [_status_request] Status request made to the server. @@ -197,8 +197,7 @@ type: keyword type: keyword - -## extensions [_extensions_2] +## extensions [_extensions] The hello extensions provided by the server. @@ -226,8 +225,7 @@ type: keyword type: keyword - -## status_request [_status_request_2] +## status_request [_status_request] Status request made to the server. diff --git a/docs/reference/packetbeat/exported-fields-trans_event.md b/docs/reference/packetbeat/exported-fields-trans_event.md index 1235d947435e..0374a7ccb507 100644 --- a/docs/reference/packetbeat/exported-fields-trans_event.md +++ b/docs/reference/packetbeat/exported-fields-trans_event.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-trans_event.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Transaction Event fields [exported-fields-trans_event] These fields contain data about the transaction itself. diff --git a/docs/reference/packetbeat/exported-fields-trans_measurements.md b/docs/reference/packetbeat/exported-fields-trans_measurements.md index 6a002a42f5b4..c88797f75de7 100644 --- a/docs/reference/packetbeat/exported-fields-trans_measurements.md +++ b/docs/reference/packetbeat/exported-fields-trans_measurements.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-trans_measurements.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Measurements (Transactions) fields [exported-fields-trans_measurements] These fields contain measurements related to the transaction. diff --git a/docs/reference/packetbeat/exported-fields.md b/docs/reference/packetbeat/exported-fields.md index 58fae9a62025..70159cba0e54 100644 --- a/docs/reference/packetbeat/exported-fields.md +++ b/docs/reference/packetbeat/exported-fields.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Exported fields [exported-fields] This document describes the fields that are exported by Packetbeat. They are grouped in the following categories: @@ -35,4 +37,3 @@ This document describes the fields that are exported by Packetbeat. They are gro * [*Detailed TLS fields*](/reference/packetbeat/exported-fields-tls_detailed.md) * [*Transaction Event fields*](/reference/packetbeat/exported-fields-trans_event.md) * [*Measurements (Transactions) fields*](/reference/packetbeat/exported-fields-trans_measurements.md) - diff --git a/docs/reference/toc.yml b/docs/reference/toc.yml index eea1a4beffd5..5efd40010049 100644 --- a/docs/reference/toc.yml +++ b/docs/reference/toc.yml @@ -1196,6 +1196,7 @@ toc: - file: metricbeat/exported-fields-aerospike.md - file: metricbeat/exported-fields-airflow.md - file: metricbeat/exported-fields-apache.md + - file: metricbeat/exported-fields-autoops_es.md - file: metricbeat/exported-fields-aws.md - file: metricbeat/exported-fields-awsfargate.md - file: metricbeat/exported-fields-azure.md @@ -1238,6 +1239,7 @@ toc: - file: metricbeat/exported-fields-linux.md - file: metricbeat/exported-fields-logstash.md - file: metricbeat/exported-fields-memcached.md + - file: metricbeat/exported-fields-meraki.md - file: metricbeat/exported-fields-mongodb.md - file: metricbeat/exported-fields-mssql.md - file: metricbeat/exported-fields-munin.md diff --git a/docs/reference/winlogbeat/exported-fields-beat-common.md b/docs/reference/winlogbeat/exported-fields-beat-common.md index a1c167ad18a0..097734b48d98 100644 --- a/docs/reference/winlogbeat/exported-fields-beat-common.md +++ b/docs/reference/winlogbeat/exported-fields-beat-common.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-beat-common.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Beat fields [exported-fields-beat-common] Contains common beat fields available in all event types. diff --git a/docs/reference/winlogbeat/exported-fields-cloud.md b/docs/reference/winlogbeat/exported-fields-cloud.md index 7c4b97380b38..1aed5885ef76 100644 --- a/docs/reference/winlogbeat/exported-fields-cloud.md +++ b/docs/reference/winlogbeat/exported-fields-cloud.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-cloud.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Cloud provider metadata fields [exported-fields-cloud] Metadata from cloud providers added by the add_cloud_metadata processor. diff --git a/docs/reference/winlogbeat/exported-fields-docker-processor.md b/docs/reference/winlogbeat/exported-fields-docker-processor.md index 2551bf668f28..9f3fd1939788 100644 --- a/docs/reference/winlogbeat/exported-fields-docker-processor.md +++ b/docs/reference/winlogbeat/exported-fields-docker-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-docker-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Docker fields [exported-fields-docker-processor] Docker stats collected from Docker. diff --git a/docs/reference/winlogbeat/exported-fields-ecs.md b/docs/reference/winlogbeat/exported-fields-ecs.md index 28d3e1589a72..8fb204c3c382 100644 --- a/docs/reference/winlogbeat/exported-fields-ecs.md +++ b/docs/reference/winlogbeat/exported-fields-ecs.md @@ -3,14 +3,18 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-ecs.html --- +% This file is generated! See scripts/generate_fields_docs.py + # ECS fields [exported-fields-ecs] -This section defines Elastic Common Schema (ECS) fields—a common set of fields to be used when storing event data in {{es}}. +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {{es}}. -This is an exhaustive list, and fields listed here are not necessarily used by Winlogbeat. The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events. +This is an exhaustive list, and fields listed here are not necessarily used by Winlogbeat. +The goal of ECS is to enable and encourage users of {{es}} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. See the [ECS reference](ecs://reference/index.md) for more information. - **`@timestamp`** : Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. @@ -45,10 +49,10 @@ type: keyword example: ["production", "env2"] - ## agent [_agent] -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. **`agent.build.original`** : Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. @@ -98,7 +102,6 @@ type: keyword example: 6.0.0-rc2 - ## as [_as] An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. @@ -123,10 +126,11 @@ example: Google LLC : type: match_only_text - ## client [_client] -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`client.address`** : Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -181,7 +185,7 @@ example: Montreal **`client.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -305,7 +309,7 @@ format: string **`client.registered_domain`** -: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -321,7 +325,7 @@ example: east **`client.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -341,7 +345,7 @@ type: keyword **`client.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -404,7 +408,6 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## cloud [_cloud] Fields related to the cloud or infrastructure the events are coming from. @@ -667,7 +670,6 @@ type: keyword example: lambda - ## code_signature [_code_signature] These fields contain information about binary code signatures. @@ -744,7 +746,6 @@ type: boolean example: true - ## container [_container] Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -823,13 +824,14 @@ type: keyword example: docker - ## data_stream [_data_stream] -The data_stream fields take part in defining the new data stream naming scheme. In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this [blog post](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional [restrictions](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-create). +The data_stream fields take part in defining the new data stream naming scheme. +In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. +An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. **`data_stream.dataset`** -: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters +: The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -837,7 +839,7 @@ example: nginx.access **`data_stream.namespace`** -: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters +: A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters type: constant_keyword @@ -852,10 +854,10 @@ type: constant_keyword example: logs - ## destination [_destination] -Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`destination.address`** : Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -910,7 +912,7 @@ example: Montreal **`destination.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -1034,7 +1036,7 @@ format: string **`destination.registered_domain`** -: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1050,7 +1052,7 @@ example: east **`destination.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1070,7 +1072,7 @@ type: keyword **`destination.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -1133,12 +1135,14 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## dll [_dll] These fields contain information about code libraries dynamically loaded into processes. -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: * Dynamic-link library (`.dll`) commonly used on Windows * Shared Object (`.so`) commonly used on Unix-like operating systems * Dynamic library (`.dylib`) commonly used on macOS +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS **`dll.code_signature.digest_algorithm`** : The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. @@ -1291,7 +1295,7 @@ example: 6.3.9600.17415 **`dll.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -1314,10 +1318,10 @@ type: keyword example: Microsoft® Windows® Operating System - ## dns [_dns] -Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). **`dns.answers`** : An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. @@ -1342,7 +1346,7 @@ example: 10.10.10.10 **`dns.answers.name`** -: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated. +: The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. type: keyword @@ -1406,7 +1410,7 @@ example: www.example.com **`dns.question.registered_domain`** -: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -1422,7 +1426,7 @@ example: www **`dns.question.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1461,13 +1465,12 @@ type: keyword example: answer - ## ecs [_ecs] Meta-information specific to ECS. **`ecs.version`** -: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events. +: ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword @@ -1476,7 +1479,6 @@ example: 1.0.0 required: True - ## elf [_elf] These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -1506,7 +1508,7 @@ example: Intel **`elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -1673,10 +1675,10 @@ type: keyword type: keyword - ## error [_error] -These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. **`error.code`** : Error code describing the error. @@ -1714,10 +1716,10 @@ type: keyword example: java.lang.NullPointerException - ## event [_event] -The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. **`event.action`** : The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. @@ -1728,7 +1730,7 @@ example: user-password-change **`event.agent_id_status`** -: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. +: Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. type: keyword @@ -1752,7 +1754,7 @@ example: 4648 **`event.created`** -: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +: event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. type: date @@ -1760,7 +1762,7 @@ example: 2016-05-23T08:05:34.857Z **`event.dataset`** -: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. +: Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword @@ -1798,7 +1800,7 @@ example: 8a4f500d **`event.ingested`** -: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +: Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. type: date @@ -1826,7 +1828,7 @@ example: apache type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 Field is not indexed. @@ -1860,11 +1862,11 @@ example: Terminated an unexpected process type: keyword -example: [https://system.example.com/event/#0001234](https://system.example.com/event/#0001234) +example: https://system.example.com/event/#0001234 **`event.risk_score`** -: Risk score or priority of the event (e.g. security solutions). Use your system’s original value here. +: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1884,7 +1886,7 @@ format: string **`event.severity`** -: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. +: The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. type: long @@ -1900,7 +1902,7 @@ type: date **`event.timezone`** -: This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +: This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). type: keyword @@ -1916,8 +1918,7 @@ type: keyword type: keyword -example: [https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe](https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe) - +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe ## faas [_faas] @@ -1953,17 +1954,17 @@ example: 123456789 **`faas.trigger.type`** -: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other +: The trigger for the function execution. Expected values are: * http * pubsub * datasource * timer * other type: keyword example: http - ## file [_file] -A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. **`file.accessed`** : Last time the file was accessed. Note that not all filesystems keep track of access time. @@ -1972,7 +1973,7 @@ type: date **`file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -2112,7 +2113,7 @@ example: Intel **`file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -2350,7 +2351,7 @@ example: 256383 **`file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -2378,7 +2379,7 @@ example: example.png **`file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -2430,7 +2431,7 @@ example: 6.3.9600.17415 **`file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -2504,7 +2505,7 @@ example: Example SHA2 High Assurance Server CA **`file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -2610,7 +2611,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -2626,7 +2627,7 @@ example: shared.global.example.net **`file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -2679,10 +2680,10 @@ type: keyword example: 3 - ## geo [_geo] -Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. **`geo.city_name`** : City name. @@ -2693,7 +2694,7 @@ example: Montreal **`geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -2772,7 +2773,6 @@ type: keyword example: America/Argentina/Buenos_Aires - ## group [_group] The group fields are meant to represent groups that are relevant to the event. @@ -2795,10 +2795,11 @@ type: keyword type: keyword - ## hash [_hash] -The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). +The hash fields represent different bitwise hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). **`hash.md5`** : MD5 hash. @@ -2830,10 +2831,10 @@ type: keyword type: keyword - ## host [_host] -A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. **`host.architecture`** : Operating system architecture. @@ -2862,7 +2863,7 @@ type: long **`host.domain`** -: Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. +: Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword @@ -2878,7 +2879,7 @@ example: Montreal **`host.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3062,7 +3063,7 @@ example: darwin **`host.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3091,7 +3092,6 @@ type: long example: 1325 - ## http [_http] Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3145,7 +3145,7 @@ example: POST **`http.request.mime_type`** -: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request’s Content-Type header can be helpful in detecting threats or misconfigured clients. +: Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. type: keyword @@ -3157,7 +3157,7 @@ example: image/gif type: keyword -example: [https://blog.example.com/](https://blog.example.com/) +example: https://blog.example.com/ **`http.response.body.bytes`** @@ -3193,7 +3193,7 @@ format: bytes **`http.response.mime_type`** -: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response’s Content-Type header can be helpful in detecting misconfigured servers. +: Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. type: keyword @@ -3218,7 +3218,6 @@ type: keyword example: 1.1 - ## interface [_interface] The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. @@ -3247,13 +3246,14 @@ type: keyword example: eth0 - ## log [_log] -Details about the event’s logging mechanism or logging transport. The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. **`log.file.path`** -: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. +: Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. type: keyword @@ -3261,7 +3261,7 @@ example: /var/log/fun-times.log **`log.level`** -: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. +: Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. type: keyword @@ -3335,7 +3335,7 @@ format: string **`log.syslog.severity.code`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. type: long @@ -3343,20 +3343,20 @@ example: 3 **`log.syslog.severity.name`** -: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +: The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword example: Error - ## network [_network] -The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. **`network.application`** -: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. +: When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. type: keyword @@ -3374,7 +3374,7 @@ format: bytes **`network.community_id`** -: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at [https://github.com/corelight/community-id-spec](https://github.com/corelight/community-id-spec). +: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. type: keyword @@ -3382,9 +3382,7 @@ example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= **`network.direction`** -: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown - -When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. +: Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. type: keyword @@ -3400,7 +3398,7 @@ example: 192.1.1.2 **`network.iana_number`** -: IANA Protocol Number ([https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword @@ -3485,10 +3483,10 @@ type: keyword example: outside - ## observer [_observer] -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. **`observer.egress`** : Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. @@ -3553,7 +3551,7 @@ example: Montreal **`observer.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -3763,7 +3761,7 @@ example: darwin **`observer.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3814,7 +3812,6 @@ example: Symantec type: keyword - ## orchestrator [_orchestrator] Fields that describe the resources which container orchestrators manage or act upon. @@ -3885,10 +3882,10 @@ type: keyword example: kubernetes - ## organization [_organization] -The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. **`organization.id`** : Unique identifier for the organization. @@ -3906,7 +3903,6 @@ type: keyword : type: match_only_text - ## os [_os] The OS fields contain information about the operating system. @@ -3960,7 +3956,7 @@ example: darwin **`os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -3975,7 +3971,6 @@ type: keyword example: 10.14.1 - ## package [_package] These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. @@ -4027,7 +4022,7 @@ type: date **`package.license`** -: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible ([https://spdx.org/licenses/](https://spdx.org/licenses/)). +: License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword @@ -4055,7 +4050,7 @@ example: /usr/local/Cellar/go/1.12.9/ type: keyword -example: [https://golang.org](https://golang.org) +example: https://golang.org **`package.size`** @@ -4084,7 +4079,6 @@ type: keyword example: 1.12.9 - ## pe [_pe] These fields contain Windows Portable Executable (PE) metadata. @@ -4122,7 +4116,7 @@ example: 6.3.9600.17415 **`pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -4145,10 +4139,10 @@ type: keyword example: Microsoft® Windows® Operating System - ## process [_process] -These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. **`process.args`** : Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. @@ -4275,7 +4269,7 @@ example: Intel **`process.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4645,7 +4639,7 @@ example: Intel **`process.parent.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -4923,7 +4917,7 @@ example: 6.3.9600.17415 **`process.parent.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5053,7 +5047,7 @@ example: 6.3.9600.17415 **`process.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -5150,7 +5144,6 @@ example: /home/alice : type: match_only_text - ## registry [_registry] Fields related to Windows Registry operations. @@ -5211,13 +5204,14 @@ type: keyword example: Debugger - ## related [_related] -This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. **`related.hash`** -: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search). +: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). type: keyword @@ -5240,10 +5234,10 @@ type: ip type: keyword - ## rule [_rule] -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. **`rule.author`** : Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. @@ -5294,11 +5288,11 @@ example: BLOCK_DNS_over_TLS **`rule.reference`** -: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. +: Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. type: keyword -example: [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) +example: https://en.wikipedia.org/wiki/DNS_over_TLS **`rule.ruleset`** @@ -5325,10 +5319,11 @@ type: keyword example: 1.1 - ## server [_server] -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. **`server.address`** : Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5383,7 +5378,7 @@ example: Montreal **`server.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -5507,7 +5502,7 @@ format: string **`server.registered_domain`** -: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -5523,7 +5518,7 @@ example: east **`server.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5543,7 +5538,7 @@ type: keyword **`server.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -5606,10 +5601,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## service [_service] -The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. **`service.address`** : Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). @@ -5652,7 +5647,7 @@ example: elasticsearch-metrics **`service.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5700,7 +5695,7 @@ example: elasticsearch-metrics **`service.origin.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5776,7 +5771,7 @@ example: elasticsearch-metrics **`service.target.node.name`** -: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn’t have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +: Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword @@ -5821,10 +5816,10 @@ type: keyword example: 3.2.4 - ## source [_source] -Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. **`source.address`** : Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5879,7 +5874,7 @@ example: Montreal **`source.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6003,7 +5998,7 @@ format: string **`source.registered_domain`** -: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -6019,7 +6014,7 @@ example: east **`source.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6039,7 +6034,7 @@ type: keyword **`source.user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -6102,10 +6097,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## threat [_threat] -Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). **`threat.enrichments`** : A list of associated indicators objects enriching the event, and the context of that association/enrichment. @@ -6140,7 +6135,7 @@ example: Google LLC **`threat.enrichments.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -6160,7 +6155,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.enrichments.indicator.file.accessed`** @@ -6170,7 +6165,7 @@ type: date **`threat.enrichments.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -6310,7 +6305,7 @@ example: Intel **`threat.enrichments.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -6548,7 +6543,7 @@ example: 256383 **`threat.enrichments.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -6576,7 +6571,7 @@ example: example.png **`threat.enrichments.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -6628,7 +6623,7 @@ example: 6.3.9600.17415 **`threat.enrichments.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -6702,7 +6697,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -6808,7 +6803,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -6824,7 +6819,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -6894,7 +6889,7 @@ example: Montreal **`threat.enrichments.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -6990,7 +6985,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.enrichments.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -7014,7 +7009,7 @@ example: 443 **`threat.enrichments.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -7026,7 +7021,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.enrichments.indicator.registry.data.bytes`** @@ -7102,7 +7097,7 @@ example: 20 **`threat.enrichments.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -7136,7 +7131,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.enrichments.indicator.url.full.text`** @@ -7148,7 +7143,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.enrichments.indicator.url.original.text`** @@ -7184,7 +7179,7 @@ type: keyword **`threat.enrichments.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -7208,7 +7203,7 @@ example: east **`threat.enrichments.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7238,7 +7233,7 @@ example: Example SHA2 High Assurance Server CA **`threat.enrichments.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -7344,7 +7339,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.enrichments.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -7360,7 +7355,7 @@ example: shared.global.example.net **`threat.enrichments.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -7490,7 +7485,7 @@ example: FIN6 type: keyword -example: [https://attack.mitre.org/groups/G0037/](https://attack.mitre.org/groups/G0037/) +example: https://attack.mitre.org/groups/G0037/ **`threat.indicator.as.number`** @@ -7514,7 +7509,7 @@ example: Google LLC **`threat.indicator.confidence`** -: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High +: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: * Not Specified * None * Low * Medium * High type: keyword @@ -7534,7 +7529,7 @@ example: IP x.x.x.x was observed delivering the Angler EK. type: keyword -example: `phish@example.com` +example: phish@example.com **`threat.indicator.file.accessed`** @@ -7544,7 +7539,7 @@ type: date **`threat.indicator.file.attributes`** -: Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +: Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword @@ -7684,7 +7679,7 @@ example: Intel **`threat.indicator.file.elf.creation_date`** -: Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date @@ -7922,7 +7917,7 @@ example: 256383 **`threat.indicator.file.mime_type`** -: MIME type should identify the format of the file or stream of bytes using [IANA official types](https://www.iana.org/assignments/media-types/media-types.xhtml), where possible. When more than one type is applicable, the most specific type should be used. +: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -7950,7 +7945,7 @@ example: example.png **`threat.indicator.file.owner`** -: File owner’s username. +: File owner's username. type: keyword @@ -8002,7 +7997,7 @@ example: 6.3.9600.17415 **`threat.indicator.file.pe.imphash`** -: A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html). +: A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword @@ -8076,7 +8071,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.file.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8182,7 +8177,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.file.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8198,7 +8193,7 @@ example: shared.global.example.net **`threat.indicator.file.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8268,7 +8263,7 @@ example: Montreal **`threat.indicator.geo.continent_code`** -: Two-letter code representing continent’s name. +: Two-letter code representing continent's name. type: keyword @@ -8364,7 +8359,7 @@ example: 2020-11-05T17:25:47.000Z **`threat.indicator.marking.tlp`** -: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED +: Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword @@ -8388,7 +8383,7 @@ example: 443 **`threat.indicator.provider`** -: The name of the indicator’s provider. +: The name of the indicator's provider. type: keyword @@ -8400,7 +8395,7 @@ example: lrz_urlhaus type: keyword -example: [https://system.example.com/indicator/0001234](https://system.example.com/indicator/0001234) +example: https://system.example.com/indicator/0001234 **`threat.indicator.registry.data.bytes`** @@ -8476,7 +8471,7 @@ example: 20 **`threat.indicator.type`** -: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate +: Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword @@ -8510,7 +8505,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`threat.indicator.url.full.text`** @@ -8522,7 +8517,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`threat.indicator.url.original.text`** @@ -8558,7 +8553,7 @@ type: keyword **`threat.indicator.url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -8582,7 +8577,7 @@ example: east **`threat.indicator.url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8612,7 +8607,7 @@ example: Example SHA2 High Assurance Server CA **`threat.indicator.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -8718,7 +8713,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`threat.indicator.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -8734,7 +8729,7 @@ example: shared.global.example.net **`threat.indicator.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -8812,9 +8807,7 @@ example: AdFind **`threat.software.platforms`** -: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows - -While not required, you can use a MITRE ATT&CK® software platforms. +: The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows While not required, you can use a MITRE ATT&CK® software platforms. type: keyword @@ -8826,22 +8819,19 @@ example: [ "Windows" ] type: keyword -example: [https://attack.mitre.org/software/S0552/](https://attack.mitre.org/software/S0552/) +example: https://attack.mitre.org/software/S0552/ **`threat.software.type`** -: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool +: The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool While not required, you can use a MITRE ATT&CK® software type. -``` -While not required, you can use a MITRE ATT&CK® software type. -``` type: keyword example: Tool **`threat.tactic.id`** -: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -8849,7 +8839,7 @@ example: TA0002 **`threat.tactic.name`** -: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)) +: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword @@ -8857,15 +8847,15 @@ example: Execution **`threat.tactic.reference`** -: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) ) +: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword -example: [https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/) +example: https://attack.mitre.org/tactics/TA0002/ **`threat.technique.id`** -: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8873,7 +8863,7 @@ example: T1059 **`threat.technique.name`** -: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -8885,15 +8875,15 @@ example: Command and Scripting Interpreter **`threat.technique.reference`** -: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)) +: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/) +example: https://attack.mitre.org/techniques/T1059/ **`threat.technique.subtechnique.id`** -: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8901,7 +8891,7 @@ example: T1059.001 **`threat.technique.subtechnique.name`** -: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -8913,12 +8903,11 @@ example: PowerShell **`threat.technique.subtechnique.reference`** -: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/)) +: The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: [https://attack.mitre.org/techniques/T1059/001/](https://attack.mitre.org/techniques/T1059/001/) - +example: https://attack.mitre.org/techniques/T1059/001/ ## tls [_tls] @@ -8938,7 +8927,7 @@ example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 type: keyword -example: MII… +example: MII... **`tls.client.certificate_chain`** @@ -8946,7 +8935,7 @@ example: MII… type: keyword -example: ["MII…", "MII…"] +example: ["MII...", "MII..."] **`tls.client.hash.md5`** @@ -9026,7 +9015,7 @@ example: CN=myclient, OU=Documentation Team, DC=example, DC=com type: keyword -example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "…"] +example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] **`tls.client.x509.alternative_names`** @@ -9046,7 +9035,7 @@ example: Example SHA2 High Assurance Server CA **`tls.client.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9152,7 +9141,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.client.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9168,7 +9157,7 @@ example: shared.global.example.net **`tls.client.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9236,7 +9225,7 @@ type: boolean **`tls.next_protocol`** -: String indicating the protocol being tunneled. Per the values in the IANA registry ([https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)), this string should be lower case. +: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword @@ -9254,7 +9243,7 @@ type: boolean type: keyword -example: MII… +example: MII... **`tls.server.certificate_chain`** @@ -9262,7 +9251,7 @@ example: MII… type: keyword -example: ["MII…", "MII…"] +example: ["MII...", "MII..."] **`tls.server.hash.md5`** @@ -9346,7 +9335,7 @@ example: Example SHA2 High Assurance Server CA **`tls.server.x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -9452,7 +9441,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`tls.server.x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -9468,7 +9457,7 @@ example: shared.global.example.net **`tls.server.x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword @@ -9561,7 +9550,6 @@ type: keyword example: 00f067aa0ba902b7 - ## url [_url] URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -9593,7 +9581,7 @@ type: keyword type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) +example: https://www.elastic.co:443/search?q=elasticsearch#top **`url.full.text`** @@ -9605,7 +9593,7 @@ example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.ela type: wildcard -example: [https://www.elastic.co:443/search?q=elasticsearch#top](https://www.elastic.co:443/search?q=elasticsearch#top) or /search?q=elasticsearch +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch **`url.original.text`** @@ -9641,7 +9629,7 @@ type: keyword **`url.registered_domain`** -: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +: The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword @@ -9665,7 +9653,7 @@ example: east **`url.top_level_domain`** -: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list ([http://publicsuffix.org](http://publicsuffix.org)). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +: The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9678,10 +9666,10 @@ example: co.uk type: keyword - ## user [_user] -The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. **`user.changes.domain`** : Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. @@ -9696,7 +9684,7 @@ type: keyword **`user.changes.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9778,7 +9766,7 @@ type: keyword **`user.effective.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9848,7 +9836,7 @@ type: keyword **`user.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9924,7 +9912,7 @@ type: keyword **`user.target.full_name`** -: User’s full name, if available. +: User's full name, if available. type: keyword @@ -9987,10 +9975,10 @@ type: keyword example: ["kibana_admin", "reporting_user"] - ## user_agent [_user_agent] -The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. **`user_agent.device.name`** : Name of the device. @@ -10069,7 +10057,7 @@ example: darwin **`user_agent.os.type`** -: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +: Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword @@ -10092,10 +10080,12 @@ type: keyword example: 12.0 - ## vlan [_vlan] -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. **`vlan.id`** : VLAN ID as reported by the observer. @@ -10113,13 +10103,12 @@ type: keyword example: outside - ## vulnerability [_vulnerability] The vulnerability fields describe information about a vulnerability that is relevant to an event. **`vulnerability.category`** -: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example ([Qualys vulnerability categories](https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm)) This field must be an array. +: The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. type: keyword @@ -10127,7 +10116,7 @@ example: ["Firewall"] **`vulnerability.classification`** -: The classification of the vulnerability scoring system. For example ([https://www.first.org/cvss/](https://www.first.org/cvss/)) +: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword @@ -10135,11 +10124,11 @@ example: CVSS **`vulnerability.description`** -: The description of the vulnerability that provides additional context of the vulnerability. For example ([Common Vulnerabilities and Exposure CVE description](https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created)) +: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword -example: In macOS before 2.12.6, there is a vulnerability in the RPC… +example: In macOS before 2.12.6, there is a vulnerability in the RPC... **`vulnerability.description.text`** @@ -10147,7 +10136,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC… **`vulnerability.enumeration`** -: The type of identifier used for this vulnerability. For example ([https://cve.mitre.org/about/](https://cve.mitre.org/about/)) +: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword @@ -10155,7 +10144,7 @@ example: CVE **`vulnerability.id`** -: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example ([Common Vulnerabilities and Exposure CVE ID](https://cve.mitre.org/about/faqs.html#what_is_cve_id)) +: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] type: keyword @@ -10167,7 +10156,7 @@ example: CVE-2019-00001 type: keyword -example: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111) +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 **`vulnerability.report_id`** @@ -10187,7 +10176,7 @@ example: Tenable **`vulnerability.score.base`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) type: float @@ -10195,7 +10184,7 @@ example: 5.5 **`vulnerability.score.environmental`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) type: float @@ -10203,13 +10192,13 @@ example: 5.5 **`vulnerability.score.temporal`** -: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example ([https://www.first.org/cvss/specification-document](https://www.first.org/cvss/specification-document)) +: Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) type: float **`vulnerability.score.version`** -: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword @@ -10217,17 +10206,18 @@ example: 2.0 **`vulnerability.severity`** -: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example ([https://nvd.nist.gov/vuln-metrics/cvss](https://nvd.nist.gov/vuln-metrics/cvss)) +: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword example: Critical - ## x509 [_x509] -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. **`x509.alternative_names`** : List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. @@ -10246,7 +10236,7 @@ example: Example SHA2 High Assurance Server CA **`x509.issuer.country`** -: List of country © codes +: List of country (C) codes type: keyword @@ -10352,7 +10342,7 @@ example: 55FBB9C7DEBF09809D12CCAA **`x509.signature_algorithm`** -: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See [https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353](https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -10368,7 +10358,7 @@ example: shared.global.example.net **`x509.subject.country`** -: List of country © code +: List of country (C) code type: keyword diff --git a/docs/reference/winlogbeat/exported-fields-eventlog.md b/docs/reference/winlogbeat/exported-fields-eventlog.md index 84ef78314216..6965312caf44 100644 --- a/docs/reference/winlogbeat/exported-fields-eventlog.md +++ b/docs/reference/winlogbeat/exported-fields-eventlog.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-eventlog.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Legacy Winlogbeat alias fields [exported-fields-eventlog] Field aliases based on Winlogbeat 6.x that point to the fields for this version of Winlogbeat. These are added to the index template when `migration.6_to_7.enable: true` is set in the configuration. diff --git a/docs/reference/winlogbeat/exported-fields-host-processor.md b/docs/reference/winlogbeat/exported-fields-host-processor.md index 994fb9dd52d7..1b6630e7634a 100644 --- a/docs/reference/winlogbeat/exported-fields-host-processor.md +++ b/docs/reference/winlogbeat/exported-fields-host-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-host-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Host fields [exported-fields-host-processor] Info collected for the host machine. diff --git a/docs/reference/winlogbeat/exported-fields-jolokia-autodiscover.md b/docs/reference/winlogbeat/exported-fields-jolokia-autodiscover.md index 0b6b6339983e..48855bf2f056 100644 --- a/docs/reference/winlogbeat/exported-fields-jolokia-autodiscover.md +++ b/docs/reference/winlogbeat/exported-fields-jolokia-autodiscover.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-jolokia-autodiscover.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Jolokia Discovery autodiscover provider fields [exported-fields-jolokia-autodiscover] Metadata from Jolokia Discovery added by the jolokia provider. @@ -26,7 +28,7 @@ type: keyword **`jolokia.server.version`** -: The container’s version (if detected). +: The container's version (if detected). type: keyword diff --git a/docs/reference/winlogbeat/exported-fields-kubernetes-processor.md b/docs/reference/winlogbeat/exported-fields-kubernetes-processor.md index 3344e9e0238e..801d3660adef 100644 --- a/docs/reference/winlogbeat/exported-fields-kubernetes-processor.md +++ b/docs/reference/winlogbeat/exported-fields-kubernetes-processor.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-kubernetes-processor.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Kubernetes fields [exported-fields-kubernetes-processor] Kubernetes metadata added by the kubernetes processor diff --git a/docs/reference/winlogbeat/exported-fields-powershell.md b/docs/reference/winlogbeat/exported-fields-powershell.md index 436dec93c424..db90168d0160 100644 --- a/docs/reference/winlogbeat/exported-fields-powershell.md +++ b/docs/reference/winlogbeat/exported-fields-powershell.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-powershell.html --- +% This file is generated! See scripts/generate_fields_docs.py + # PowerShell module fields [exported-fields-powershell] These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs. @@ -47,8 +49,7 @@ type: long example: 10 - -## powershell.command [_powershell_command] +## powershell.command [_powershell.command] Data related to the executed command. @@ -122,8 +123,7 @@ type: text example: System.IO.Compression.FileSystem - -## powershell.connected_user [_powershell_connected_user] +## powershell.connected_user [_powershell.connected_user] Data related to the connected user executing the command. @@ -143,8 +143,7 @@ type: keyword example: vagrant - -## powershell.engine [_powershell_engine] +## powershell.engine [_powershell.engine] Data related to the PowerShell engine. @@ -172,8 +171,7 @@ type: keyword example: Stopped - -## powershell.file [_powershell_file] +## powershell.file [_powershell.file] Data related to the executed script file. @@ -201,8 +199,7 @@ type: keyword example: 5.1.17763.1007 - -## powershell.provider [_powershell_provider] +## powershell.provider [_powershell.provider] Data related to the PowerShell engine host. diff --git a/docs/reference/winlogbeat/exported-fields-process.md b/docs/reference/winlogbeat/exported-fields-process.md index f34dcce0faaf..f76decce276f 100644 --- a/docs/reference/winlogbeat/exported-fields-process.md +++ b/docs/reference/winlogbeat/exported-fields-process.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-process.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Process fields [exported-fields-process] Process metadata fields @@ -13,7 +15,6 @@ Process metadata fields alias to: process.executable - ## owner [_owner] Process owner information. diff --git a/docs/reference/winlogbeat/exported-fields-security.md b/docs/reference/winlogbeat/exported-fields-security.md index a2c737a33671..34f84a911bc5 100644 --- a/docs/reference/winlogbeat/exported-fields-security.md +++ b/docs/reference/winlogbeat/exported-fields-security.md @@ -3,12 +3,13 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-security.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Security module fields [exported-fields-security] These are the event fields specific to the module for the Security log. - -## winlog.logon [_winlog_logon] +## winlog.logon [_winlog.logon] Data related to a Windows logon. diff --git a/docs/reference/winlogbeat/exported-fields-sysmon.md b/docs/reference/winlogbeat/exported-fields-sysmon.md index 5b27996429c9..ca72df155a20 100644 --- a/docs/reference/winlogbeat/exported-fields-sysmon.md +++ b/docs/reference/winlogbeat/exported-fields-sysmon.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-sysmon.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Sysmon module fields [exported-fields-sysmon] These are the event fields specific to the Sysmon module. diff --git a/docs/reference/winlogbeat/exported-fields-winlog.md b/docs/reference/winlogbeat/exported-fields-winlog.md index 00d8acb3ee27..bcb9eb13f942 100644 --- a/docs/reference/winlogbeat/exported-fields-winlog.md +++ b/docs/reference/winlogbeat/exported-fields-winlog.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-winlog.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Winlogbeat fields [exported-fields-winlog] Fields from the Windows Event Log. @@ -11,7 +13,6 @@ Fields from the Windows Event Log. : The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting `include_xml: true` as a configuration option for an individual event log. The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems. - ## winlog [_winlog] All fields specific to the Windows Event Log are defined here. @@ -64,7 +65,6 @@ type: object required: False - ## event_data [_event_data] This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. @@ -610,7 +610,7 @@ required: True **`winlog.record_id`** -: The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (232 for the Event Logging API and 264 for the Windows Event Log API), the next record number will be 0. +: The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. type: keyword @@ -744,7 +744,7 @@ required: False **`winlog.version`** -: The version number of the event’s definition. +: The version number of the event's definition. type: long diff --git a/docs/reference/winlogbeat/exported-fields.md b/docs/reference/winlogbeat/exported-fields.md index 384a7c6fe21b..d9ce7446cb27 100644 --- a/docs/reference/winlogbeat/exported-fields.md +++ b/docs/reference/winlogbeat/exported-fields.md @@ -3,6 +3,8 @@ mapped_pages: - https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields.html --- +% This file is generated! See scripts/generate_fields_docs.py + # Exported fields [exported-fields] This document describes the fields that are exported by Winlogbeat. They are grouped in the following categories: @@ -20,4 +22,3 @@ This document describes the fields that are exported by Winlogbeat. They are gro * [*Security module fields*](/reference/winlogbeat/exported-fields-security.md) * [*Sysmon module fields*](/reference/winlogbeat/exported-fields-sysmon.md) * [*Winlogbeat fields*](/reference/winlogbeat/exported-fields-winlog.md) - diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index 95c7d0e5b437..0736a6fecdb6 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -360,7 +360,7 @@ endif ifneq ($(shell [[ $(BEAT_NAME) == libbeat || $(BEAT_NAME) == metricbeat ]] && echo true ),true) @# Update docs @mkdir -p docs - @${PYTHON_ENV_EXE} ${ES_BEATS}/libbeat/scripts/generate_fields_docs.py $(PWD)/fields.yml ${BEAT_TITLE} ${ES_BEATS} + @${PYTHON_ENV_EXE} ${ES_BEATS}/libbeat/scripts/generate_fields_docs.py $(PWD)/fields.yml ${BEAT_NAME} ${ES_BEATS} --output_path $(ES_BEATS)/docs/reference/${BEAT_NAME} endif @mkdir -p $(PWD)/_meta/kibana.generated diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py index 6c01653d8e26..f8b1be352eba 100644 --- a/libbeat/scripts/generate_fields_docs.py +++ b/libbeat/scripts/generate_fields_docs.py @@ -8,46 +8,49 @@ import yaml -def document_fields(output, section, sections, path): +def document_fields(output, section, sections, path, beat): if "skipdocs" in section: return if "anchor" in section: - output.write("[[exported-fields-{}]]\n".format(section["anchor"])) + output.write('''--- +mapped_pages: + - https://www.elastic.co/guide/en/beats/{}/current/exported-fields-{}.html +--- - if "prefix" in section: - output.write("{}\n".format(section["prefix"])) +% This file is generated! See scripts/generate_fields_docs.py\n\n'''.format(beat, section["anchor"])) # Intermediate level titles - if ("description" in section and "prefix" not in section and - "anchor" not in section): - output.write("[float]\n") + # if ("description" in section and "prefix" not in section and + # "anchor" not in section): + # output.write("[float]\n") if "description" in section: + if section["description"] is None: + section["description"] = "None" if "anchor" in section and section["name"] == "ECS": - output.write("== {} fields\n\n".format(section["name"])) - output.write(""" -This section defines Elastic Common Schema (ECS) fields—a common set of fields -to be used when storing event data in {es}. + output.write("# {} fields [exported-fields-ecs]\n\n".format(section["name"])) + output.write("""This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {{{{es}}}}. This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. -The goal of ECS is to enable and encourage users of {es} to normalize their event data, +The goal of ECS is to enable and encourage users of {{{{es}}}} to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events. -See the {ecs-ref}[ECS reference] for more information. -""") +See the [ECS reference](ecs://reference/index.md) for more information. +""".format_map({"beatname_uc": beat.title()})) elif "anchor" in section: - output.write("== {} fields\n\n".format(section["name"])) - output.write("{}\n\n".format(section["description"])) + output.write("# {} fields [exported-fields-{}]\n\n".format(section["title"], section["anchor"])) + output.write("{}\n\n".format(section["description"].strip())) else: - output.write("=== {}\n\n".format(section["name"])) - output.write("{}\n\n".format(section["description"])) + output.write("## {} [_{}]\n\n".format(section["name"], section["name"])) + output.write("{}\n\n".format(section["description"].strip())) if "fields" not in section or not section["fields"]: return - output.write("\n") for field in section["fields"]: - + if "description" in field and field["description"] is None: + field["description"] = "None" # Skip entries which do not define a name if "name" not in field: continue @@ -58,7 +61,7 @@ def document_fields(output, section, sections, path): newpath = path + "." + field["name"] if "type" in field and field["type"] == "group": - document_fields(output, field, sections, newpath) + document_fields(output, field, sections, newpath, beat) else: document_field(output, field, newpath) @@ -68,13 +71,15 @@ def document_field(output, field, field_path): if "field_path" not in field: field["field_path"] = field_path - output.write("*`{}`*::\n+\n--\n".format(field["field_path"])) + output.write("**`{}`**\n".format(field["field_path"])) + output.write(": ") + + if "description" in field and field["description"] is not None and len(field["description"].strip()) > 0: + output.write("{}".format(" ".join(x for x in field["description"].split("\n") if x)).strip()+"\n\n") if "deprecated" in field: - output.write("\ndeprecated:[{}]\n\n".format(field["deprecated"])) + output.write("{{applies_to}}`product: deprecated {}`\n\n".format(field["deprecated"])) - if "description" in field: - output.write("{}\n\n".format(field["description"])) if "type" in field: output.write("type: {}\n\n".format(field["type"])) if "example" in field: @@ -100,7 +105,7 @@ def document_field(output, field, field_path): if not field["enabled"]: output.write("{}\n\n".format("Object is not enabled.")) - output.write("--\n\n") + output.write("\n") if "multi_fields" in field: for subfield in field["multi_fields"]: @@ -121,25 +126,21 @@ def ecs_fields(): return yaml.load(resp.content, Loader=yaml.FullLoader) -def fields_to_asciidoc(input, output, beat): - - dict = {'beat': beat} - - output.write(""" -//// -This file is generated! See _meta/fields.yml and scripts/generate_fields_docs.py -//// +def fields_to_asciidoc(input, output_path, beat): + output = open(os.path.join(output_path, "exported-fields.md"), 'w', encoding='utf-8') -:edit_url: + dict = {'beat': beat, 'title': beat.title()} -[[exported-fields]] -= Exported fields + output.write("""--- +mapped_pages: + - https://www.elastic.co/guide/en/beats/{beat}/current/exported-fields.html +--- -[partintro] +% This file is generated! See scripts/generate_fields_docs.py + +# Exported fields [exported-fields] --- -This document describes the fields that are exported by {beat}. They are -grouped in the following categories: +This document describes the fields that are exported by {title}. They are grouped in the following categories: """.format(**dict)) @@ -175,17 +176,21 @@ def fields_to_asciidoc(input, output, beat): section["anchor"] = section["key"] if "skipdocs" not in section: - output.write("* <>\n".format(section["anchor"])) - output.write("\n--\n") - + output.write( + "* [*{} fields*](/reference/{}/exported-fields-{}.md)\n".format(section["title"], beat, section["anchor"])) + output.close() # Sort alphabetically by key for section in sorted(docs, key=lambda field: field["key"]): section["name"] = section["title"] if "anchor" not in section: section["anchor"] = section["key"] - document_fields(output, section, sections, "") - - output.write(":edit_url!:") + if "description" not in section: + section["description"] = section["key"] + if "fields" not in section or not section["fields"]: + continue + output_fields = open(os.path.join( + output_path, "exported-fields-{}.md".format(section["anchor"])), 'w', encoding='utf-8') + document_fields(output_fields, section, sections, "", beat) if __name__ == "__main__": @@ -202,19 +207,11 @@ def fields_to_asciidoc(input, output, beat): args = parser.parse_args() fields_yml = args.fields - beat_title = args.beattitle.title() + beat_title = args.beattitle es_beats = args.es_beats # Read fields.yml with open(fields_yml, encoding='utf-8') as f: fields = f.read() - # TODO(@VihasMakwana): Following work to be in a follow-up PR. - # Uncomment and convert exported fields to markdown. - - # output = open(os.path.join(args.output_path, "docs/fields.asciidoc"), 'w', encoding='utf-8') - - # try: - # fields_to_asciidoc(fields, output, beat_title) - # finally: - # output.close() + fields_to_asciidoc(fields, args.output_path, beat_title)