From 8823de216ef3afb5023fe39e89533d70ac4731a2 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Wed, 20 Nov 2019 22:25:14 -0500
Subject: [PATCH 1/7] Flesh out the csv a little

---
 generated/csv/fields.csv            | 922 ++++++++++++++--------------
 scripts/generators/csv_generator.py |   6 +-
 2 files changed, 465 insertions(+), 463 deletions(-)

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 1a6c5778ea..7c8036578d 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,461 +1,461 @@
-Field,Type,Level,Example,ECS version
-@timestamp,date,core,2016-05-23T08:05:34.853Z,1.2.0-dev
-labels,object,core,"{'application': 'foo-bar', 'env': 'production'}",1.2.0-dev
-message,text,core,Hello World,1.2.0-dev
-tags,keyword,core,"[""production"", ""env2""]",1.2.0-dev
-agent.ephemeral_id,keyword,extended,8a4f500f,1.2.0-dev
-agent.id,keyword,core,8a4f500d,1.2.0-dev
-agent.name,keyword,core,foo,1.2.0-dev
-agent.type,keyword,core,filebeat,1.2.0-dev
-agent.version,keyword,core,6.0.0-rc2,1.2.0-dev
-as.number,long,extended,15169,1.2.0-dev
-as.organization.name,keyword,extended,Google LLC,1.2.0-dev
-client.address,keyword,extended,,1.2.0-dev
-client.as.number,long,extended,15169,1.2.0-dev
-client.as.organization.name,keyword,extended,Google LLC,1.2.0-dev
-client.bytes,long,core,184,1.2.0-dev
-client.domain,keyword,core,,1.2.0-dev
-client.geo.city_name,keyword,core,Montreal,1.2.0-dev
-client.geo.continent_name,keyword,core,North America,1.2.0-dev
-client.geo.country_iso_code,keyword,core,CA,1.2.0-dev
-client.geo.country_name,keyword,core,Canada,1.2.0-dev
-client.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",1.2.0-dev
-client.geo.name,keyword,extended,boston-dc,1.2.0-dev
-client.geo.region_iso_code,keyword,core,CA-QC,1.2.0-dev
-client.geo.region_name,keyword,core,Quebec,1.2.0-dev
-client.ip,ip,core,,1.2.0-dev
-client.mac,keyword,core,,1.2.0-dev
-client.nat.ip,ip,extended,,1.2.0-dev
-client.nat.port,long,extended,,1.2.0-dev
-client.packets,long,core,12,1.2.0-dev
-client.port,long,core,,1.2.0-dev
-client.registered_domain,keyword,extended,google.com,1.2.0-dev
-client.top_level_domain,keyword,extended,co.uk,1.2.0-dev
-client.user.domain,keyword,extended,,1.2.0-dev
-client.user.email,keyword,extended,,1.2.0-dev
-client.user.full_name,keyword,extended,Albert Einstein,1.2.0-dev
-client.user.group.domain,keyword,extended,,1.2.0-dev
-client.user.group.id,keyword,extended,,1.2.0-dev
-client.user.group.name,keyword,extended,,1.2.0-dev
-client.user.hash,keyword,extended,,1.2.0-dev
-client.user.id,keyword,core,,1.2.0-dev
-client.user.name,keyword,core,albert,1.2.0-dev
-cloud.account.id,keyword,extended,666777888999,1.2.0-dev
-cloud.availability_zone,keyword,extended,us-east-1c,1.2.0-dev
-cloud.instance.id,keyword,extended,i-1234567890abcdef0,1.2.0-dev
-cloud.instance.name,keyword,extended,,1.2.0-dev
-cloud.machine.type,keyword,extended,t2.medium,1.2.0-dev
-cloud.provider,keyword,extended,aws,1.2.0-dev
-cloud.region,keyword,extended,us-east-1,1.2.0-dev
-container.id,keyword,core,,1.2.0-dev
-container.image.name,keyword,extended,,1.2.0-dev
-container.image.tag,keyword,extended,,1.2.0-dev
-container.labels,object,extended,,1.2.0-dev
-container.name,keyword,extended,,1.2.0-dev
-container.runtime,keyword,extended,docker,1.2.0-dev
-destination.address,keyword,extended,,1.2.0-dev
-destination.as.number,long,extended,15169,1.2.0-dev
-destination.as.organization.name,keyword,extended,Google LLC,1.2.0-dev
-destination.bytes,long,core,184,1.2.0-dev
-destination.domain,keyword,core,,1.2.0-dev
-destination.geo.city_name,keyword,core,Montreal,1.2.0-dev
-destination.geo.continent_name,keyword,core,North America,1.2.0-dev
-destination.geo.country_iso_code,keyword,core,CA,1.2.0-dev
-destination.geo.country_name,keyword,core,Canada,1.2.0-dev
-destination.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",1.2.0-dev
-destination.geo.name,keyword,extended,boston-dc,1.2.0-dev
-destination.geo.region_iso_code,keyword,core,CA-QC,1.2.0-dev
-destination.geo.region_name,keyword,core,Quebec,1.2.0-dev
-destination.ip,ip,core,,1.2.0-dev
-destination.mac,keyword,core,,1.2.0-dev
-destination.nat.ip,ip,extended,,1.2.0-dev
-destination.nat.port,long,extended,,1.2.0-dev
-destination.packets,long,core,12,1.2.0-dev
-destination.port,long,core,,1.2.0-dev
-destination.registered_domain,keyword,extended,google.com,1.2.0-dev
-destination.top_level_domain,keyword,extended,co.uk,1.2.0-dev
-destination.user.domain,keyword,extended,,1.2.0-dev
-destination.user.email,keyword,extended,,1.2.0-dev
-destination.user.full_name,keyword,extended,Albert Einstein,1.2.0-dev
-destination.user.group.domain,keyword,extended,,1.2.0-dev
-destination.user.group.id,keyword,extended,,1.2.0-dev
-destination.user.group.name,keyword,extended,,1.2.0-dev
-destination.user.hash,keyword,extended,,1.2.0-dev
-destination.user.id,keyword,core,,1.2.0-dev
-destination.user.name,keyword,core,albert,1.2.0-dev
-dns.answers,object,extended,,1.2.0-dev
-dns.answers.class,keyword,extended,IN,1.2.0-dev
-dns.answers.data,keyword,extended,10.10.10.10,1.2.0-dev
-dns.answers.name,keyword,extended,www.google.com,1.2.0-dev
-dns.answers.ttl,long,extended,180,1.2.0-dev
-dns.answers.type,keyword,extended,CNAME,1.2.0-dev
-dns.header_flags,keyword,extended,"['RD', 'RA']",1.2.0-dev
-dns.id,keyword,extended,62111,1.2.0-dev
-dns.op_code,keyword,extended,QUERY,1.2.0-dev
-dns.question.class,keyword,extended,IN,1.2.0-dev
-dns.question.name,keyword,extended,www.google.com,1.2.0-dev
-dns.question.registered_domain,keyword,extended,google.com,1.2.0-dev
-dns.question.subdomain,keyword,extended,www,1.2.0-dev
-dns.question.top_level_domain,keyword,extended,co.uk,1.2.0-dev
-dns.question.type,keyword,extended,AAAA,1.2.0-dev
-dns.resolved_ip,ip,extended,"['10.10.10.10', '10.10.10.11']",1.2.0-dev
-dns.response_code,keyword,extended,NOERROR,1.2.0-dev
-dns.type,keyword,extended,answer,1.2.0-dev
-ecs.version,keyword,core,1.0.0,1.2.0-dev
-error.code,keyword,core,,1.2.0-dev
-error.id,keyword,core,,1.2.0-dev
-error.message,text,core,,1.2.0-dev
-error.stack_trace,keyword,extended,,1.2.0-dev
-error.type,keyword,extended,java.lang.NullPointerException,1.2.0-dev
-event.action,keyword,core,user-password-change,1.2.0-dev
-event.category,keyword,core,user-management,1.2.0-dev
-event.code,keyword,extended,4648,1.2.0-dev
-event.created,date,core,2016-05-23 08:05:34.857000,1.2.0-dev
-event.dataset,keyword,core,apache.access,1.2.0-dev
-event.duration,long,core,,1.2.0-dev
-event.end,date,extended,,1.2.0-dev
-event.hash,keyword,extended,123456789012345678901234567890ABCD,1.2.0-dev
-event.id,keyword,core,8a4f500d,1.2.0-dev
-event.ingested,date,core,2016-05-23 08:05:35.101000,1.2.0-dev
-event.kind,keyword,extended,state,1.2.0-dev
-event.module,keyword,core,apache,1.2.0-dev
-event.original,keyword,core,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,1.2.0-dev
-event.outcome,keyword,extended,success,1.2.0-dev
-event.provider,keyword,extended,kernel,1.2.0-dev
-event.risk_score,float,core,,1.2.0-dev
-event.risk_score_norm,float,extended,,1.2.0-dev
-event.sequence,long,extended,,1.2.0-dev
-event.severity,long,core,7,1.2.0-dev
-event.start,date,extended,,1.2.0-dev
-event.timezone,keyword,extended,,1.2.0-dev
-event.type,keyword,core,,1.2.0-dev
-file.accessed,date,extended,,1.2.0-dev
-file.created,date,extended,,1.2.0-dev
-file.ctime,date,extended,,1.2.0-dev
-file.device,keyword,extended,sda,1.2.0-dev
-file.directory,keyword,extended,/home/alice,1.2.0-dev
-file.extension,keyword,extended,png,1.2.0-dev
-file.gid,keyword,extended,1001,1.2.0-dev
-file.group,keyword,extended,alice,1.2.0-dev
-file.hash.md5,keyword,extended,,1.2.0-dev
-file.hash.sha1,keyword,extended,,1.2.0-dev
-file.hash.sha256,keyword,extended,,1.2.0-dev
-file.hash.sha512,keyword,extended,,1.2.0-dev
-file.inode,keyword,extended,256383,1.2.0-dev
-file.mode,keyword,extended,0640,1.2.0-dev
-file.mtime,date,extended,,1.2.0-dev
-file.name,keyword,extended,example.png,1.2.0-dev
-file.owner,keyword,extended,alice,1.2.0-dev
-file.path,keyword,extended,/home/alice/example.png,1.2.0-dev
-file.size,long,extended,16384,1.2.0-dev
-file.target_path,keyword,extended,,1.2.0-dev
-file.type,keyword,extended,file,1.2.0-dev
-file.uid,keyword,extended,1001,1.2.0-dev
-geo.city_name,keyword,core,Montreal,1.2.0-dev
-geo.continent_name,keyword,core,North America,1.2.0-dev
-geo.country_iso_code,keyword,core,CA,1.2.0-dev
-geo.country_name,keyword,core,Canada,1.2.0-dev
-geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",1.2.0-dev
-geo.name,keyword,extended,boston-dc,1.2.0-dev
-geo.region_iso_code,keyword,core,CA-QC,1.2.0-dev
-geo.region_name,keyword,core,Quebec,1.2.0-dev
-group.domain,keyword,extended,,1.2.0-dev
-group.id,keyword,extended,,1.2.0-dev
-group.name,keyword,extended,,1.2.0-dev
-hash.md5,keyword,extended,,1.2.0-dev
-hash.sha1,keyword,extended,,1.2.0-dev
-hash.sha256,keyword,extended,,1.2.0-dev
-hash.sha512,keyword,extended,,1.2.0-dev
-host.architecture,keyword,core,x86_64,1.2.0-dev
-host.domain,keyword,extended,CONTOSO,1.2.0-dev
-host.geo.city_name,keyword,core,Montreal,1.2.0-dev
-host.geo.continent_name,keyword,core,North America,1.2.0-dev
-host.geo.country_iso_code,keyword,core,CA,1.2.0-dev
-host.geo.country_name,keyword,core,Canada,1.2.0-dev
-host.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",1.2.0-dev
-host.geo.name,keyword,extended,boston-dc,1.2.0-dev
-host.geo.region_iso_code,keyword,core,CA-QC,1.2.0-dev
-host.geo.region_name,keyword,core,Quebec,1.2.0-dev
-host.hostname,keyword,core,,1.2.0-dev
-host.id,keyword,core,,1.2.0-dev
-host.ip,ip,core,,1.2.0-dev
-host.mac,keyword,core,,1.2.0-dev
-host.name,keyword,core,,1.2.0-dev
-host.os.family,keyword,extended,debian,1.2.0-dev
-host.os.full,keyword,extended,Mac OS Mojave,1.2.0-dev
-host.os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev
-host.os.name,keyword,extended,Mac OS X,1.2.0-dev
-host.os.platform,keyword,extended,darwin,1.2.0-dev
-host.os.version,keyword,extended,10.14.1,1.2.0-dev
-host.type,keyword,core,,1.2.0-dev
-host.uptime,long,extended,1325,1.2.0-dev
-host.user.domain,keyword,extended,,1.2.0-dev
-host.user.email,keyword,extended,,1.2.0-dev
-host.user.full_name,keyword,extended,Albert Einstein,1.2.0-dev
-host.user.group.domain,keyword,extended,,1.2.0-dev
-host.user.group.id,keyword,extended,,1.2.0-dev
-host.user.group.name,keyword,extended,,1.2.0-dev
-host.user.hash,keyword,extended,,1.2.0-dev
-host.user.id,keyword,core,,1.2.0-dev
-host.user.name,keyword,core,albert,1.2.0-dev
-http.request.body.bytes,long,extended,887,1.2.0-dev
-http.request.body.content,keyword,extended,Hello world,1.2.0-dev
-http.request.bytes,long,extended,1437,1.2.0-dev
-http.request.method,keyword,extended,"get, post, put",1.2.0-dev
-http.request.referrer,keyword,extended,https://blog.example.com/,1.2.0-dev
-http.response.body.bytes,long,extended,887,1.2.0-dev
-http.response.body.content,keyword,extended,Hello world,1.2.0-dev
-http.response.bytes,long,extended,1437,1.2.0-dev
-http.response.status_code,long,extended,404,1.2.0-dev
-http.version,keyword,extended,1.1,1.2.0-dev
-log.level,keyword,core,error,1.2.0-dev
-log.logger,keyword,core,org.elasticsearch.bootstrap.Bootstrap,1.2.0-dev
-log.origin.file.line,integer,extended,42,1.2.0-dev
-log.origin.file.name,keyword,extended,Bootstrap.java,1.2.0-dev
-log.origin.function,keyword,extended,init,1.2.0-dev
-log.original,keyword,core,Sep 19 08:26:10 localhost My log,1.2.0-dev
-log.syslog,object,extended,,1.2.0-dev
-log.syslog.facility.code,long,extended,23,1.2.0-dev
-log.syslog.facility.name,keyword,extended,local7,1.2.0-dev
-log.syslog.priority,long,extended,135,1.2.0-dev
-log.syslog.severity.code,long,extended,3,1.2.0-dev
-log.syslog.severity.name,keyword,extended,Error,1.2.0-dev
-network.application,keyword,extended,aim,1.2.0-dev
-network.bytes,long,core,368,1.2.0-dev
-network.community_id,keyword,extended,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,1.2.0-dev
-network.direction,keyword,core,inbound,1.2.0-dev
-network.forwarded_ip,ip,core,192.1.1.2,1.2.0-dev
-network.iana_number,keyword,extended,6,1.2.0-dev
-network.name,keyword,extended,Guest Wifi,1.2.0-dev
-network.packets,long,core,24,1.2.0-dev
-network.protocol,keyword,core,http,1.2.0-dev
-network.transport,keyword,core,tcp,1.2.0-dev
-network.type,keyword,core,ipv4,1.2.0-dev
-observer.geo.city_name,keyword,core,Montreal,1.2.0-dev
-observer.geo.continent_name,keyword,core,North America,1.2.0-dev
-observer.geo.country_iso_code,keyword,core,CA,1.2.0-dev
-observer.geo.country_name,keyword,core,Canada,1.2.0-dev
-observer.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",1.2.0-dev
-observer.geo.name,keyword,extended,boston-dc,1.2.0-dev
-observer.geo.region_iso_code,keyword,core,CA-QC,1.2.0-dev
-observer.geo.region_name,keyword,core,Quebec,1.2.0-dev
-observer.hostname,keyword,core,,1.2.0-dev
-observer.ip,ip,core,,1.2.0-dev
-observer.mac,keyword,core,,1.2.0-dev
-observer.name,keyword,extended,1_proxySG,1.2.0-dev
-observer.os.family,keyword,extended,debian,1.2.0-dev
-observer.os.full,keyword,extended,Mac OS Mojave,1.2.0-dev
-observer.os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev
-observer.os.name,keyword,extended,Mac OS X,1.2.0-dev
-observer.os.platform,keyword,extended,darwin,1.2.0-dev
-observer.os.version,keyword,extended,10.14.1,1.2.0-dev
-observer.product,keyword,extended,s200,1.2.0-dev
-observer.serial_number,keyword,extended,,1.2.0-dev
-observer.type,keyword,core,firewall,1.2.0-dev
-observer.vendor,keyword,core,Symantec,1.2.0-dev
-observer.version,keyword,core,,1.2.0-dev
-organization.id,keyword,extended,,1.2.0-dev
-organization.name,keyword,extended,,1.2.0-dev
-os.family,keyword,extended,debian,1.2.0-dev
-os.full,keyword,extended,Mac OS Mojave,1.2.0-dev
-os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev
-os.name,keyword,extended,Mac OS X,1.2.0-dev
-os.platform,keyword,extended,darwin,1.2.0-dev
-os.version,keyword,extended,10.14.1,1.2.0-dev
-package.architecture,keyword,extended,x86_64,1.2.0-dev
-package.build_version,keyword,extended,36f4f7e89dd61b0988b12ee000b98966867710cd,1.2.0-dev
-package.checksum,keyword,extended,68b329da9893e34099c7d8ad5cb9c940,1.2.0-dev
-package.description,keyword,extended,Open source programming language to build simple/reliable/efficient software.,1.2.0-dev
-package.install_scope,keyword,extended,global,1.2.0-dev
-package.installed,date,extended,,1.2.0-dev
-package.license,keyword,extended,Apache License 2.0,1.2.0-dev
-package.name,keyword,extended,go,1.2.0-dev
-package.path,keyword,extended,/usr/local/Cellar/go/1.12.9/,1.2.0-dev
-package.reference,keyword,extended,https://golang.org,1.2.0-dev
-package.size,long,extended,62231,1.2.0-dev
-package.type,keyword,extended,rpm,1.2.0-dev
-package.version,keyword,extended,1.12.9,1.2.0-dev
-process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",1.2.0-dev
-process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,1.2.0-dev
-process.executable,keyword,extended,/usr/bin/ssh,1.2.0-dev
-process.exit_code,long,extended,137,1.2.0-dev
-process.hash.md5,keyword,extended,,1.2.0-dev
-process.hash.sha1,keyword,extended,,1.2.0-dev
-process.hash.sha256,keyword,extended,,1.2.0-dev
-process.hash.sha512,keyword,extended,,1.2.0-dev
-process.name,keyword,extended,ssh,1.2.0-dev
-process.parent.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",1.2.0-dev
-process.parent.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,1.2.0-dev
-process.parent.executable,keyword,extended,/usr/bin/ssh,1.2.0-dev
-process.parent.exit_code,long,extended,137,1.2.0-dev
-process.parent.name,keyword,extended,ssh,1.2.0-dev
-process.parent.pgid,long,extended,,1.2.0-dev
-process.parent.pid,long,core,4242,1.2.0-dev
-process.parent.ppid,long,extended,4241,1.2.0-dev
-process.parent.start,date,extended,2016-05-23T08:05:34.853Z,1.2.0-dev
-process.parent.thread.id,long,extended,4242,1.2.0-dev
-process.parent.thread.name,keyword,extended,thread-0,1.2.0-dev
-process.parent.title,keyword,extended,,1.2.0-dev
-process.parent.uptime,long,extended,1325,1.2.0-dev
-process.parent.working_directory,keyword,extended,/home/alice,1.2.0-dev
-process.pgid,long,extended,,1.2.0-dev
-process.pid,long,core,4242,1.2.0-dev
-process.ppid,long,extended,4241,1.2.0-dev
-process.start,date,extended,2016-05-23T08:05:34.853Z,1.2.0-dev
-process.thread.id,long,extended,4242,1.2.0-dev
-process.thread.name,keyword,extended,thread-0,1.2.0-dev
-process.title,keyword,extended,,1.2.0-dev
-process.uptime,long,extended,1325,1.2.0-dev
-process.working_directory,keyword,extended,/home/alice,1.2.0-dev
-related.ip,ip,extended,,1.2.0-dev
-server.address,keyword,extended,,1.2.0-dev
-server.as.number,long,extended,15169,1.2.0-dev
-server.as.organization.name,keyword,extended,Google LLC,1.2.0-dev
-server.bytes,long,core,184,1.2.0-dev
-server.domain,keyword,core,,1.2.0-dev
-server.geo.city_name,keyword,core,Montreal,1.2.0-dev
-server.geo.continent_name,keyword,core,North America,1.2.0-dev
-server.geo.country_iso_code,keyword,core,CA,1.2.0-dev
-server.geo.country_name,keyword,core,Canada,1.2.0-dev
-server.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",1.2.0-dev
-server.geo.name,keyword,extended,boston-dc,1.2.0-dev
-server.geo.region_iso_code,keyword,core,CA-QC,1.2.0-dev
-server.geo.region_name,keyword,core,Quebec,1.2.0-dev
-server.ip,ip,core,,1.2.0-dev
-server.mac,keyword,core,,1.2.0-dev
-server.nat.ip,ip,extended,,1.2.0-dev
-server.nat.port,long,extended,,1.2.0-dev
-server.packets,long,core,12,1.2.0-dev
-server.port,long,core,,1.2.0-dev
-server.registered_domain,keyword,extended,google.com,1.2.0-dev
-server.top_level_domain,keyword,extended,co.uk,1.2.0-dev
-server.user.domain,keyword,extended,,1.2.0-dev
-server.user.email,keyword,extended,,1.2.0-dev
-server.user.full_name,keyword,extended,Albert Einstein,1.2.0-dev
-server.user.group.domain,keyword,extended,,1.2.0-dev
-server.user.group.id,keyword,extended,,1.2.0-dev
-server.user.group.name,keyword,extended,,1.2.0-dev
-server.user.hash,keyword,extended,,1.2.0-dev
-server.user.id,keyword,core,,1.2.0-dev
-server.user.name,keyword,core,albert,1.2.0-dev
-service.ephemeral_id,keyword,extended,8a4f500f,1.2.0-dev
-service.id,keyword,core,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,1.2.0-dev
-service.name,keyword,core,elasticsearch-metrics,1.2.0-dev
-service.node.name,keyword,extended,instance-0000000016,1.2.0-dev
-service.state,keyword,core,,1.2.0-dev
-service.type,keyword,core,elasticsearch,1.2.0-dev
-service.version,keyword,core,3.2.4,1.2.0-dev
-source.address,keyword,extended,,1.2.0-dev
-source.as.number,long,extended,15169,1.2.0-dev
-source.as.organization.name,keyword,extended,Google LLC,1.2.0-dev
-source.bytes,long,core,184,1.2.0-dev
-source.domain,keyword,core,,1.2.0-dev
-source.geo.city_name,keyword,core,Montreal,1.2.0-dev
-source.geo.continent_name,keyword,core,North America,1.2.0-dev
-source.geo.country_iso_code,keyword,core,CA,1.2.0-dev
-source.geo.country_name,keyword,core,Canada,1.2.0-dev
-source.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",1.2.0-dev
-source.geo.name,keyword,extended,boston-dc,1.2.0-dev
-source.geo.region_iso_code,keyword,core,CA-QC,1.2.0-dev
-source.geo.region_name,keyword,core,Quebec,1.2.0-dev
-source.ip,ip,core,,1.2.0-dev
-source.mac,keyword,core,,1.2.0-dev
-source.nat.ip,ip,extended,,1.2.0-dev
-source.nat.port,long,extended,,1.2.0-dev
-source.packets,long,core,12,1.2.0-dev
-source.port,long,core,,1.2.0-dev
-source.registered_domain,keyword,extended,google.com,1.2.0-dev
-source.top_level_domain,keyword,extended,co.uk,1.2.0-dev
-source.user.domain,keyword,extended,,1.2.0-dev
-source.user.email,keyword,extended,,1.2.0-dev
-source.user.full_name,keyword,extended,Albert Einstein,1.2.0-dev
-source.user.group.domain,keyword,extended,,1.2.0-dev
-source.user.group.id,keyword,extended,,1.2.0-dev
-source.user.group.name,keyword,extended,,1.2.0-dev
-source.user.hash,keyword,extended,,1.2.0-dev
-source.user.id,keyword,core,,1.2.0-dev
-source.user.name,keyword,core,albert,1.2.0-dev
-threat.framework,keyword,extended,MITRE ATT&CK,1.2.0-dev
-threat.tactic.id,keyword,extended,TA0040,1.2.0-dev
-threat.tactic.name,keyword,extended,impact,1.2.0-dev
-threat.tactic.reference,keyword,extended,https://attack.mitre.org/tactics/TA0040/,1.2.0-dev
-threat.technique.id,keyword,extended,T1499,1.2.0-dev
-threat.technique.name,keyword,extended,endpoint denial of service,1.2.0-dev
-threat.technique.reference,keyword,extended,https://attack.mitre.org/techniques/T1499/,1.2.0-dev
-tls.cipher,keyword,extended,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,1.2.0-dev
-tls.client.certificate,keyword,extended,MII...,1.2.0-dev
-tls.client.certificate_chain,keyword,extended,"['MII...', 'MII...']",1.2.0-dev
-tls.client.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,1.2.0-dev
-tls.client.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,1.2.0-dev
-tls.client.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,1.2.0-dev
-tls.client.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",1.2.0-dev
-tls.client.ja3,keyword,extended,d4e5b18d6b55c71272893221c96ba240,1.2.0-dev
-tls.client.not_after,date,extended,2021-01-01T00:00:00.000Z,1.2.0-dev
-tls.client.not_before,date,extended,1970-01-01T00:00:00.000Z,1.2.0-dev
-tls.client.server_name,keyword,extended,www.elastic.co,1.2.0-dev
-tls.client.subject,keyword,extended,"CN=myclient, OU=Documentation Team, DC=mydomain, DC=com",1.2.0-dev
-tls.client.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",1.2.0-dev
-tls.curve,keyword,extended,secp256r1,1.2.0-dev
-tls.established,boolean,extended,,1.2.0-dev
-tls.next_protocol,keyword,extended,http/1.1,1.2.0-dev
-tls.resumed,boolean,extended,,1.2.0-dev
-tls.server.certificate,keyword,extended,MII...,1.2.0-dev
-tls.server.certificate_chain,keyword,extended,"['MII...', 'MII...']",1.2.0-dev
-tls.server.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,1.2.0-dev
-tls.server.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,1.2.0-dev
-tls.server.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,1.2.0-dev
-tls.server.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",1.2.0-dev
-tls.server.ja3s,keyword,extended,394441ab65754e2207b1e1b457b3641d,1.2.0-dev
-tls.server.not_after,date,extended,2021-01-01T00:00:00.000Z,1.2.0-dev
-tls.server.not_before,date,extended,1970-01-01T00:00:00.000Z,1.2.0-dev
-tls.server.subject,keyword,extended,"CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com",1.2.0-dev
-tls.server.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",1.2.0-dev
-tls.version,keyword,extended,1.2,1.2.0-dev
-tls.version_protocol,keyword,extended,tls,1.2.0-dev
-trace.id,keyword,extended,4bf92f3577b34da6a3ce929d0e0e4736,1.2.0-dev
-transaction.id,keyword,extended,00f067aa0ba902b7,1.2.0-dev
-url.domain,keyword,extended,www.elastic.co,1.2.0-dev
-url.extension,keyword,extended,png,1.2.0-dev
-url.fragment,keyword,extended,,1.2.0-dev
-url.full,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top,1.2.0-dev
-url.original,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,1.2.0-dev
-url.password,keyword,extended,,1.2.0-dev
-url.path,keyword,extended,,1.2.0-dev
-url.port,long,extended,443,1.2.0-dev
-url.query,keyword,extended,,1.2.0-dev
-url.registered_domain,keyword,extended,google.com,1.2.0-dev
-url.scheme,keyword,extended,https,1.2.0-dev
-url.top_level_domain,keyword,extended,co.uk,1.2.0-dev
-url.username,keyword,extended,,1.2.0-dev
-user.domain,keyword,extended,,1.2.0-dev
-user.email,keyword,extended,,1.2.0-dev
-user.full_name,keyword,extended,Albert Einstein,1.2.0-dev
-user.group.domain,keyword,extended,,1.2.0-dev
-user.group.id,keyword,extended,,1.2.0-dev
-user.group.name,keyword,extended,,1.2.0-dev
-user.hash,keyword,extended,,1.2.0-dev
-user.id,keyword,core,,1.2.0-dev
-user.name,keyword,core,albert,1.2.0-dev
-user_agent.device.name,keyword,extended,iPhone,1.2.0-dev
-user_agent.name,keyword,extended,Safari,1.2.0-dev
-user_agent.original,keyword,extended,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",1.2.0-dev
-user_agent.os.family,keyword,extended,debian,1.2.0-dev
-user_agent.os.full,keyword,extended,Mac OS Mojave,1.2.0-dev
-user_agent.os.kernel,keyword,extended,4.4.0-112-generic,1.2.0-dev
-user_agent.os.name,keyword,extended,Mac OS X,1.2.0-dev
-user_agent.os.platform,keyword,extended,darwin,1.2.0-dev
-user_agent.os.version,keyword,extended,10.14.1,1.2.0-dev
-user_agent.version,keyword,extended,12.0,1.2.0-dev
-vulnerability.category,keyword,extended,"[""Firewall""]",1.2.0-dev
-vulnerability.classification,keyword,extended,CVSS,1.2.0-dev
-vulnerability.description,keyword,extended,"In macOS before 2.12.6, there is a vulnerability in the RPC...",1.2.0-dev
-vulnerability.enumeration,keyword,extended,CVE,1.2.0-dev
-vulnerability.id,keyword,extended,CVE-2019-00001,1.2.0-dev
-vulnerability.reference,keyword,extended,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,1.2.0-dev
-vulnerability.report_id,keyword,extended,20191018.0001,1.2.0-dev
-vulnerability.scanner.vendor,keyword,extended,Tenable,1.2.0-dev
-vulnerability.score.base,float,extended,5.5,1.2.0-dev
-vulnerability.score.environmental,float,extended,5.5,1.2.0-dev
-vulnerability.score.temporal,float,extended,,1.2.0-dev
-vulnerability.score.version,keyword,extended,2.0,1.2.0-dev
-vulnerability.severity,keyword,extended,Critical,1.2.0-dev
+ECS version,Indexed,Field,Type,Level,Example,Description
+1.2.0-dev,True,@timestamp,date,core,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.2.0-dev,True,labels,object,core,"{'application': 'foo-bar', 'env': 'production'}",Custom key/value pairs.
+1.2.0-dev,True,message,text,core,Hello World,Log message optimized for viewing in a log viewer.
+1.2.0-dev,True,tags,keyword,core,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.2.0-dev,True,agent.ephemeral_id,keyword,extended,8a4f500f,Ephemeral identifier of this agent.
+1.2.0-dev,True,agent.id,keyword,core,8a4f500d,Unique identifier of this agent.
+1.2.0-dev,True,agent.name,keyword,core,foo,Custom name of the agent.
+1.2.0-dev,True,agent.type,keyword,core,filebeat,Type of the agent.
+1.2.0-dev,True,agent.version,keyword,core,6.0.0-rc2,Version of the agent.
+1.2.0-dev,True,as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,client.address,keyword,extended,,Client network address.
+1.2.0-dev,True,client.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,client.as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,client.bytes,long,core,184,Bytes sent from the client to the server.
+1.2.0-dev,True,client.domain,keyword,core,,Client domain.
+1.2.0-dev,True,client.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,client.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,client.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,client.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,client.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,client.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,client.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,client.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,client.ip,ip,core,,IP address of the client.
+1.2.0-dev,True,client.mac,keyword,core,,MAC address of the client.
+1.2.0-dev,True,client.nat.ip,ip,extended,,Client NAT ip address
+1.2.0-dev,True,client.nat.port,long,extended,,Client NAT port
+1.2.0-dev,True,client.packets,long,core,12,Packets sent from the client to the server.
+1.2.0-dev,True,client.port,long,core,,Port of the client.
+1.2.0-dev,True,client.registered_domain,keyword,extended,google.com,"The highest registered client domain, stripped of the subdomain."
+1.2.0-dev,True,client.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,client.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,client.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,client.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,client.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,client.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,client.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,client.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,client.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,client.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,cloud.account.id,keyword,extended,666777888999,The cloud account or organization id.
+1.2.0-dev,True,cloud.availability_zone,keyword,extended,us-east-1c,Availability zone in which this host is running.
+1.2.0-dev,True,cloud.instance.id,keyword,extended,i-1234567890abcdef0,Instance ID of the host machine.
+1.2.0-dev,True,cloud.instance.name,keyword,extended,,Instance name of the host machine.
+1.2.0-dev,True,cloud.machine.type,keyword,extended,t2.medium,Machine type of the host machine.
+1.2.0-dev,True,cloud.provider,keyword,extended,aws,Name of the cloud provider.
+1.2.0-dev,True,cloud.region,keyword,extended,us-east-1,Region in which this host is running.
+1.2.0-dev,True,container.id,keyword,core,,Unique container id.
+1.2.0-dev,True,container.image.name,keyword,extended,,Name of the image the container was built on.
+1.2.0-dev,True,container.image.tag,keyword,extended,,Container image tag.
+1.2.0-dev,True,container.labels,object,extended,,Image labels.
+1.2.0-dev,True,container.name,keyword,extended,,Container name.
+1.2.0-dev,True,container.runtime,keyword,extended,docker,Runtime managing this container.
+1.2.0-dev,True,destination.address,keyword,extended,,Destination network address.
+1.2.0-dev,True,destination.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,destination.as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,destination.bytes,long,core,184,Bytes sent from the destination to the source.
+1.2.0-dev,True,destination.domain,keyword,core,,Destination domain.
+1.2.0-dev,True,destination.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,destination.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,destination.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,destination.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,destination.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,destination.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,destination.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,destination.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,destination.ip,ip,core,,IP address of the destination.
+1.2.0-dev,True,destination.mac,keyword,core,,MAC address of the destination.
+1.2.0-dev,True,destination.nat.ip,ip,extended,,Destination NAT ip
+1.2.0-dev,True,destination.nat.port,long,extended,,Destination NAT Port
+1.2.0-dev,True,destination.packets,long,core,12,Packets sent from the destination to the source.
+1.2.0-dev,True,destination.port,long,core,,Port of the destination.
+1.2.0-dev,True,destination.registered_domain,keyword,extended,google.com,"The highest registered destination domain, stripped of the subdomain."
+1.2.0-dev,True,destination.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,destination.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,destination.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,destination.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,destination.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,destination.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,destination.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,destination.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,destination.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,destination.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,dns.answers,object,extended,,Array of DNS answers.
+1.2.0-dev,True,dns.answers.class,keyword,extended,IN,The class of DNS data contained in this resource record.
+1.2.0-dev,True,dns.answers.data,keyword,extended,10.10.10.10,The data describing the resource.
+1.2.0-dev,True,dns.answers.name,keyword,extended,www.google.com,The domain name to which this resource record pertains.
+1.2.0-dev,True,dns.answers.ttl,long,extended,180,The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+1.2.0-dev,True,dns.answers.type,keyword,extended,CNAME,The type of data contained in this resource record.
+1.2.0-dev,True,dns.header_flags,keyword,extended,"['RD', 'RA']",Array of DNS header flags.
+1.2.0-dev,True,dns.id,keyword,extended,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.2.0-dev,True,dns.op_code,keyword,extended,QUERY,The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
+1.2.0-dev,True,dns.question.class,keyword,extended,IN,The class of of records being queried.
+1.2.0-dev,True,dns.question.name,keyword,extended,www.google.com,The name being queried.
+1.2.0-dev,True,dns.question.registered_domain,keyword,extended,google.com,"The highest registered domain, stripped of the subdomain."
+1.2.0-dev,True,dns.question.subdomain,keyword,extended,www,The subdomain of the domain.
+1.2.0-dev,True,dns.question.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,dns.question.type,keyword,extended,AAAA,The type of record being queried.
+1.2.0-dev,True,dns.resolved_ip,ip,extended,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data
+1.2.0-dev,True,dns.response_code,keyword,extended,NOERROR,The DNS response code.
+1.2.0-dev,True,dns.type,keyword,extended,answer,"The type of DNS event captured, query or answer."
+1.2.0-dev,True,ecs.version,keyword,core,1.0.0,ECS version this event conforms to.
+1.2.0-dev,True,error.code,keyword,core,,Error code describing the error.
+1.2.0-dev,True,error.id,keyword,core,,Unique identifier for the error.
+1.2.0-dev,True,error.message,text,core,,Error message.
+1.2.0-dev,False,error.stack_trace,keyword,extended,,The stack trace of this error in plain text.
+1.2.0-dev,True,error.type,keyword,extended,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.2.0-dev,True,event.action,keyword,core,user-password-change,The action captured by the event.
+1.2.0-dev,True,event.category,keyword,core,user-management,Event category.
+1.2.0-dev,True,event.code,keyword,extended,4648,Identification code for this event.
+1.2.0-dev,True,event.created,date,core,2016-05-23 08:05:34.857000,Time when the event was first read by an agent or by your pipeline.
+1.2.0-dev,True,event.dataset,keyword,core,apache.access,Name of the dataset.
+1.2.0-dev,True,event.duration,long,core,,Duration of the event in nanoseconds.
+1.2.0-dev,True,event.end,date,extended,,event.end contains the date when the event ended or when the activity was last observed.
+1.2.0-dev,True,event.hash,keyword,extended,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.2.0-dev,True,event.id,keyword,core,8a4f500d,Unique ID to describe the event.
+1.2.0-dev,True,event.ingested,date,core,2016-05-23 08:05:35.101000,Timestamp when an event arrived in the central data store.
+1.2.0-dev,True,event.kind,keyword,extended,state,The kind of the event.
+1.2.0-dev,True,event.module,keyword,core,apache,Name of the module this data is coming from.
+1.2.0-dev,False,event.original,keyword,core,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.2.0-dev,True,event.outcome,keyword,extended,success,The outcome of the event.
+1.2.0-dev,True,event.provider,keyword,extended,kernel,Source of the event.
+1.2.0-dev,True,event.risk_score,float,core,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.2.0-dev,True,event.risk_score_norm,float,extended,,Normalized risk score or priority of the event (0-100).
+1.2.0-dev,True,event.sequence,long,extended,,Sequence number of the event.
+1.2.0-dev,True,event.severity,long,core,7,Numeric severity of the event.
+1.2.0-dev,True,event.start,date,extended,,event.start contains the date when the event started or when the activity was first observed.
+1.2.0-dev,True,event.timezone,keyword,extended,,Event time zone.
+1.2.0-dev,True,event.type,keyword,core,,Reserved for future usage.
+1.2.0-dev,True,file.accessed,date,extended,,Last time the file was accessed.
+1.2.0-dev,True,file.created,date,extended,,File creation time.
+1.2.0-dev,True,file.ctime,date,extended,,Last time the file attributes or metadata changed.
+1.2.0-dev,True,file.device,keyword,extended,sda,Device that is the source of the file.
+1.2.0-dev,True,file.directory,keyword,extended,/home/alice,Directory where the file is located.
+1.2.0-dev,True,file.extension,keyword,extended,png,File extension.
+1.2.0-dev,True,file.gid,keyword,extended,1001,Primary group ID (GID) of the file.
+1.2.0-dev,True,file.group,keyword,extended,alice,Primary group name of the file.
+1.2.0-dev,True,file.hash.md5,keyword,extended,,MD5 hash.
+1.2.0-dev,True,file.hash.sha1,keyword,extended,,SHA1 hash.
+1.2.0-dev,True,file.hash.sha256,keyword,extended,,SHA256 hash.
+1.2.0-dev,True,file.hash.sha512,keyword,extended,,SHA512 hash.
+1.2.0-dev,True,file.inode,keyword,extended,256383,Inode representing the file in the filesystem.
+1.2.0-dev,True,file.mode,keyword,extended,0640,Mode of the file in octal representation.
+1.2.0-dev,True,file.mtime,date,extended,,Last time the file content was modified.
+1.2.0-dev,True,file.name,keyword,extended,example.png,"Name of the file including the extension, without the directory."
+1.2.0-dev,True,file.owner,keyword,extended,alice,File owner's username.
+1.2.0-dev,True,file.path,keyword,extended,/home/alice/example.png,Full path to the file.
+1.2.0-dev,True,file.size,long,extended,16384,File size in bytes.
+1.2.0-dev,True,file.target_path,keyword,extended,,Target path for symlinks.
+1.2.0-dev,True,file.type,keyword,extended,file,"File type (file, dir, or symlink)."
+1.2.0-dev,True,file.uid,keyword,extended,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.2.0-dev,True,geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,hash.md5,keyword,extended,,MD5 hash.
+1.2.0-dev,True,hash.sha1,keyword,extended,,SHA1 hash.
+1.2.0-dev,True,hash.sha256,keyword,extended,,SHA256 hash.
+1.2.0-dev,True,hash.sha512,keyword,extended,,SHA512 hash.
+1.2.0-dev,True,host.architecture,keyword,core,x86_64,Operating system architecture.
+1.2.0-dev,True,host.domain,keyword,extended,CONTOSO,Name of the directory the group is a member of.
+1.2.0-dev,True,host.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,host.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,host.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,host.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,host.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,host.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,host.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,host.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,host.hostname,keyword,core,,Hostname of the host.
+1.2.0-dev,True,host.id,keyword,core,,Unique host id.
+1.2.0-dev,True,host.ip,ip,core,,Host ip address.
+1.2.0-dev,True,host.mac,keyword,core,,Host mac address.
+1.2.0-dev,True,host.name,keyword,core,,Name of the host.
+1.2.0-dev,True,host.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.2.0-dev,True,host.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
+1.2.0-dev,True,host.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.2.0-dev,True,host.os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
+1.2.0-dev,True,host.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.2.0-dev,True,host.os.version,keyword,extended,10.14.1,Operating system version as a raw string.
+1.2.0-dev,True,host.type,keyword,core,,Type of host.
+1.2.0-dev,True,host.uptime,long,extended,1325,Seconds the host has been up.
+1.2.0-dev,True,host.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,host.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,host.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,host.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,host.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,host.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,host.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,host.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,host.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,http.request.body.bytes,long,extended,887,Size in bytes of the request body.
+1.2.0-dev,True,http.request.body.content,keyword,extended,Hello world,The full HTTP request body.
+1.2.0-dev,True,http.request.bytes,long,extended,1437,Total size in bytes of the request (body and headers).
+1.2.0-dev,True,http.request.method,keyword,extended,"get, post, put",HTTP request method.
+1.2.0-dev,True,http.request.referrer,keyword,extended,https://blog.example.com/,Referrer for this HTTP request.
+1.2.0-dev,True,http.response.body.bytes,long,extended,887,Size in bytes of the response body.
+1.2.0-dev,True,http.response.body.content,keyword,extended,Hello world,The full HTTP response body.
+1.2.0-dev,True,http.response.bytes,long,extended,1437,Total size in bytes of the response (body and headers).
+1.2.0-dev,True,http.response.status_code,long,extended,404,HTTP response status code.
+1.2.0-dev,True,http.version,keyword,extended,1.1,HTTP version.
+1.2.0-dev,True,log.level,keyword,core,error,Log level of the log event.
+1.2.0-dev,True,log.logger,keyword,core,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.2.0-dev,True,log.origin.file.line,integer,extended,42,The line number of the file which originated the log event.
+1.2.0-dev,True,log.origin.file.name,keyword,extended,Bootstrap.java,The file which originated the log event.
+1.2.0-dev,True,log.origin.function,keyword,extended,init,The function which originated the log event.
+1.2.0-dev,False,log.original,keyword,core,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.2.0-dev,True,log.syslog,object,extended,,Syslog metadata
+1.2.0-dev,True,log.syslog.facility.code,long,extended,23,Syslog numeric facility of the event.
+1.2.0-dev,True,log.syslog.facility.name,keyword,extended,local7,Syslog text-based facility of the event.
+1.2.0-dev,True,log.syslog.priority,long,extended,135,Syslog priority of the event.
+1.2.0-dev,True,log.syslog.severity.code,long,extended,3,Syslog numeric severity of the event.
+1.2.0-dev,True,log.syslog.severity.name,keyword,extended,Error,Syslog text-based severity of the event.
+1.2.0-dev,True,network.application,keyword,extended,aim,Application level protocol name.
+1.2.0-dev,True,network.bytes,long,core,368,Total bytes transferred in both directions.
+1.2.0-dev,True,network.community_id,keyword,extended,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.2.0-dev,True,network.direction,keyword,core,inbound,Direction of the network traffic.
+1.2.0-dev,True,network.forwarded_ip,ip,core,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.2.0-dev,True,network.iana_number,keyword,extended,6,IANA Protocol Number.
+1.2.0-dev,True,network.name,keyword,extended,Guest Wifi,Name given by operators to sections of their network.
+1.2.0-dev,True,network.packets,long,core,24,Total packets transferred in both directions.
+1.2.0-dev,True,network.protocol,keyword,core,http,L7 Network protocol name.
+1.2.0-dev,True,network.transport,keyword,core,tcp,Protocol Name corresponding to the field `iana_number`.
+1.2.0-dev,True,network.type,keyword,core,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.2.0-dev,True,observer.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,observer.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,observer.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,observer.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,observer.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,observer.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,observer.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,observer.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,observer.hostname,keyword,core,,Hostname of the observer.
+1.2.0-dev,True,observer.ip,ip,core,,IP address of the observer.
+1.2.0-dev,True,observer.mac,keyword,core,,MAC address of the observer
+1.2.0-dev,True,observer.name,keyword,extended,1_proxySG,Custom name of the observer.
+1.2.0-dev,True,observer.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.2.0-dev,True,observer.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
+1.2.0-dev,True,observer.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.2.0-dev,True,observer.os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
+1.2.0-dev,True,observer.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.2.0-dev,True,observer.os.version,keyword,extended,10.14.1,Operating system version as a raw string.
+1.2.0-dev,True,observer.product,keyword,extended,s200,The product name of the observer.
+1.2.0-dev,True,observer.serial_number,keyword,extended,,Observer serial number.
+1.2.0-dev,True,observer.type,keyword,core,firewall,The type of the observer the data is coming from.
+1.2.0-dev,True,observer.vendor,keyword,core,Symantec,Vendor name of the observer.
+1.2.0-dev,True,observer.version,keyword,core,,Observer version.
+1.2.0-dev,True,organization.id,keyword,extended,,Unique identifier for the organization.
+1.2.0-dev,True,organization.name,keyword,extended,,Organization name.
+1.2.0-dev,True,os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.2.0-dev,True,os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
+1.2.0-dev,True,os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.2.0-dev,True,os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
+1.2.0-dev,True,os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.2.0-dev,True,os.version,keyword,extended,10.14.1,Operating system version as a raw string.
+1.2.0-dev,True,package.architecture,keyword,extended,x86_64,Package architecture.
+1.2.0-dev,True,package.build_version,keyword,extended,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.2.0-dev,True,package.checksum,keyword,extended,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.2.0-dev,True,package.description,keyword,extended,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.2.0-dev,True,package.install_scope,keyword,extended,global,"Indicating how the package was installed, e.g. user-local, global."
+1.2.0-dev,True,package.installed,date,extended,,Time when package was installed.
+1.2.0-dev,True,package.license,keyword,extended,Apache License 2.0,Package license
+1.2.0-dev,True,package.name,keyword,extended,go,Package name
+1.2.0-dev,True,package.path,keyword,extended,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.2.0-dev,True,package.reference,keyword,extended,https://golang.org,Package reference URL
+1.2.0-dev,True,package.size,long,extended,62231,Package size in bytes.
+1.2.0-dev,True,package.type,keyword,extended,rpm,Package type
+1.2.0-dev,True,package.version,keyword,extended,1.12.9,Package version
+1.2.0-dev,True,process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
+1.2.0-dev,True,process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.2.0-dev,True,process.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable.
+1.2.0-dev,True,process.exit_code,long,extended,137,The exit code of the process.
+1.2.0-dev,True,process.hash.md5,keyword,extended,,MD5 hash.
+1.2.0-dev,True,process.hash.sha1,keyword,extended,,SHA1 hash.
+1.2.0-dev,True,process.hash.sha256,keyword,extended,,SHA256 hash.
+1.2.0-dev,True,process.hash.sha512,keyword,extended,,SHA512 hash.
+1.2.0-dev,True,process.name,keyword,extended,ssh,Process name.
+1.2.0-dev,True,process.parent.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
+1.2.0-dev,True,process.parent.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.2.0-dev,True,process.parent.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable.
+1.2.0-dev,True,process.parent.exit_code,long,extended,137,The exit code of the process.
+1.2.0-dev,True,process.parent.name,keyword,extended,ssh,Process name.
+1.2.0-dev,True,process.parent.pgid,long,extended,,Identifier of the group of processes the process belongs to.
+1.2.0-dev,True,process.parent.pid,long,core,4242,Process id.
+1.2.0-dev,True,process.parent.ppid,long,extended,4241,Parent process' pid.
+1.2.0-dev,True,process.parent.start,date,extended,2016-05-23T08:05:34.853Z,The time the process started.
+1.2.0-dev,True,process.parent.thread.id,long,extended,4242,Thread ID.
+1.2.0-dev,True,process.parent.thread.name,keyword,extended,thread-0,Thread name.
+1.2.0-dev,True,process.parent.title,keyword,extended,,Process title.
+1.2.0-dev,True,process.parent.uptime,long,extended,1325,Seconds the process has been up.
+1.2.0-dev,True,process.parent.working_directory,keyword,extended,/home/alice,The working directory of the process.
+1.2.0-dev,True,process.pgid,long,extended,,Identifier of the group of processes the process belongs to.
+1.2.0-dev,True,process.pid,long,core,4242,Process id.
+1.2.0-dev,True,process.ppid,long,extended,4241,Parent process' pid.
+1.2.0-dev,True,process.start,date,extended,2016-05-23T08:05:34.853Z,The time the process started.
+1.2.0-dev,True,process.thread.id,long,extended,4242,Thread ID.
+1.2.0-dev,True,process.thread.name,keyword,extended,thread-0,Thread name.
+1.2.0-dev,True,process.title,keyword,extended,,Process title.
+1.2.0-dev,True,process.uptime,long,extended,1325,Seconds the process has been up.
+1.2.0-dev,True,process.working_directory,keyword,extended,/home/alice,The working directory of the process.
+1.2.0-dev,True,related.ip,ip,extended,,All of the IPs seen on your event.
+1.2.0-dev,True,server.address,keyword,extended,,Server network address.
+1.2.0-dev,True,server.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,server.as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,server.bytes,long,core,184,Bytes sent from the server to the client.
+1.2.0-dev,True,server.domain,keyword,core,,Server domain.
+1.2.0-dev,True,server.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,server.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,server.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,server.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,server.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,server.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,server.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,server.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,server.ip,ip,core,,IP address of the server.
+1.2.0-dev,True,server.mac,keyword,core,,MAC address of the server.
+1.2.0-dev,True,server.nat.ip,ip,extended,,Server NAT ip
+1.2.0-dev,True,server.nat.port,long,extended,,Server NAT port
+1.2.0-dev,True,server.packets,long,core,12,Packets sent from the server to the client.
+1.2.0-dev,True,server.port,long,core,,Port of the server.
+1.2.0-dev,True,server.registered_domain,keyword,extended,google.com,"The highest registered server domain, stripped of the subdomain."
+1.2.0-dev,True,server.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,server.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,server.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,server.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,server.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,server.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,server.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,server.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,server.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,server.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,service.ephemeral_id,keyword,extended,8a4f500f,Ephemeral identifier of this service.
+1.2.0-dev,True,service.id,keyword,core,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.2.0-dev,True,service.name,keyword,core,elasticsearch-metrics,Name of the service.
+1.2.0-dev,True,service.node.name,keyword,extended,instance-0000000016,Name of the service node.
+1.2.0-dev,True,service.state,keyword,core,,Current state of the service.
+1.2.0-dev,True,service.type,keyword,core,elasticsearch,The type of the service.
+1.2.0-dev,True,service.version,keyword,core,3.2.4,Version of the service.
+1.2.0-dev,True,source.address,keyword,extended,,Source network address.
+1.2.0-dev,True,source.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,source.as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,source.bytes,long,core,184,Bytes sent from the source to the destination.
+1.2.0-dev,True,source.domain,keyword,core,,Source domain.
+1.2.0-dev,True,source.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,source.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,source.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,source.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,source.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,source.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,source.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,source.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,source.ip,ip,core,,IP address of the source.
+1.2.0-dev,True,source.mac,keyword,core,,MAC address of the source.
+1.2.0-dev,True,source.nat.ip,ip,extended,,Source NAT ip
+1.2.0-dev,True,source.nat.port,long,extended,,Source NAT port
+1.2.0-dev,True,source.packets,long,core,12,Packets sent from the source to the destination.
+1.2.0-dev,True,source.port,long,core,,Port of the source.
+1.2.0-dev,True,source.registered_domain,keyword,extended,google.com,"The highest registered source domain, stripped of the subdomain."
+1.2.0-dev,True,source.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,source.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,source.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,source.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,source.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,source.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,source.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,source.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,source.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,source.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,threat.framework,keyword,extended,MITRE ATT&CK,Threat classification framework.
+1.2.0-dev,True,threat.tactic.id,keyword,extended,TA0040,Threat tactic id.
+1.2.0-dev,True,threat.tactic.name,keyword,extended,impact,Threat tactic.
+1.2.0-dev,True,threat.tactic.reference,keyword,extended,https://attack.mitre.org/tactics/TA0040/,Threat tactic url reference.
+1.2.0-dev,True,threat.technique.id,keyword,extended,T1499,Threat technique id.
+1.2.0-dev,True,threat.technique.name,keyword,extended,endpoint denial of service,Threat technique name.
+1.2.0-dev,True,threat.technique.reference,keyword,extended,https://attack.mitre.org/techniques/T1499/,Threat technique reference.
+1.2.0-dev,True,tls.cipher,keyword,extended,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.2.0-dev,True,tls.client.certificate,keyword,extended,MII...,PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
+1.2.0-dev,True,tls.client.certificate_chain,keyword,extended,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
+1.2.0-dev,True,tls.client.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls.client.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls.client.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls.client.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.2.0-dev,True,tls.client.ja3,keyword,extended,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.2.0-dev,True,tls.client.not_after,date,extended,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.2.0-dev,True,tls.client.not_before,date,extended,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.2.0-dev,True,tls.client.server_name,keyword,extended,www.elastic.co,"Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`."
+1.2.0-dev,True,tls.client.subject,keyword,extended,"CN=myclient, OU=Documentation Team, DC=mydomain, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.2.0-dev,True,tls.client.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello.
+1.2.0-dev,True,tls.curve,keyword,extended,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.2.0-dev,True,tls.established,boolean,extended,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.2.0-dev,True,tls.next_protocol,keyword,extended,http/1.1,"String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case."
+1.2.0-dev,True,tls.resumed,boolean,extended,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.2.0-dev,True,tls.server.certificate,keyword,extended,MII...,PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
+1.2.0-dev,True,tls.server.certificate_chain,keyword,extended,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
+1.2.0-dev,True,tls.server.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls.server.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls.server.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls.server.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.2.0-dev,True,tls.server.ja3s,keyword,extended,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.2.0-dev,True,tls.server.not_after,date,extended,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.2.0-dev,True,tls.server.not_before,date,extended,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.2.0-dev,True,tls.server.subject,keyword,extended,"CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the x.509 certificate presented by the server.
+1.2.0-dev,True,tls.server.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the server during the server hello.
+1.2.0-dev,True,tls.version,keyword,extended,1.2,Numeric part of the version parsed from the original string.
+1.2.0-dev,True,tls.version_protocol,keyword,extended,tls,Normalized lowercase protocol name parsed from original string.
+1.2.0-dev,True,trace.id,keyword,extended,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.2.0-dev,True,transaction.id,keyword,extended,00f067aa0ba902b7,Unique identifier of the transaction.
+1.2.0-dev,True,url.domain,keyword,extended,www.elastic.co,Domain of the url.
+1.2.0-dev,True,url.extension,keyword,extended,png,File extension from the original request url.
+1.2.0-dev,True,url.fragment,keyword,extended,,Portion of the url after the `#`.
+1.2.0-dev,True,url.full,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.2.0-dev,True,url.original,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.2.0-dev,True,url.password,keyword,extended,,Password of the request.
+1.2.0-dev,True,url.path,keyword,extended,,"Path of the request, such as ""/search""."
+1.2.0-dev,True,url.port,long,extended,443,"Port of the request, such as 443."
+1.2.0-dev,True,url.query,keyword,extended,,Query string of the request.
+1.2.0-dev,True,url.registered_domain,keyword,extended,google.com,"The highest registered url domain, stripped of the subdomain."
+1.2.0-dev,True,url.scheme,keyword,extended,https,Scheme of the url.
+1.2.0-dev,True,url.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,url.username,keyword,extended,,Username of the request.
+1.2.0-dev,True,user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,user.email,keyword,extended,,User email address.
+1.2.0-dev,True,user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,user_agent.device.name,keyword,extended,iPhone,Name of the device.
+1.2.0-dev,True,user_agent.name,keyword,extended,Safari,Name of the user agent.
+1.2.0-dev,True,user_agent.original,keyword,extended,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed version of the user_agent.
+1.2.0-dev,True,user_agent.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.2.0-dev,True,user_agent.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
+1.2.0-dev,True,user_agent.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.2.0-dev,True,user_agent.os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
+1.2.0-dev,True,user_agent.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.2.0-dev,True,user_agent.os.version,keyword,extended,10.14.1,Operating system version as a raw string.
+1.2.0-dev,True,user_agent.version,keyword,extended,12.0,Version of the user agent.
+1.2.0-dev,True,vulnerability.category,keyword,extended,"[""Firewall""]",Category of a vulnerability.
+1.2.0-dev,True,vulnerability.classification,keyword,extended,CVSS,Classification of the vulnerability.
+1.2.0-dev,True,vulnerability.description,keyword,extended,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.2.0-dev,True,vulnerability.enumeration,keyword,extended,CVE,Identifier of the vulnerability.
+1.2.0-dev,True,vulnerability.id,keyword,extended,CVE-2019-00001,ID of the vulnerability.
+1.2.0-dev,True,vulnerability.reference,keyword,extended,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.2.0-dev,True,vulnerability.report_id,keyword,extended,20191018.0001,Scan identification number.
+1.2.0-dev,True,vulnerability.scanner.vendor,keyword,extended,Tenable,Name of the scanner vendor.
+1.2.0-dev,True,vulnerability.score.base,float,extended,5.5,Vulnerability Base score.
+1.2.0-dev,True,vulnerability.score.environmental,float,extended,5.5,Vulnerability Environmental score.
+1.2.0-dev,True,vulnerability.score.temporal,float,extended,,Vulnerability Temporal score.
+1.2.0-dev,True,vulnerability.score.version,keyword,extended,2.0,CVSS version.
+1.2.0-dev,True,vulnerability.severity,keyword,extended,Critical,Severity of the vulnerability.
diff --git a/scripts/generators/csv_generator.py b/scripts/generators/csv_generator.py
index 9377779c53..4b900065b9 100644
--- a/scripts/generators/csv_generator.py
+++ b/scripts/generators/csv_generator.py
@@ -29,12 +29,14 @@ def save_csv(file, sorted_fields, version):
                                    quoting=csv.QUOTE_MINIMAL,
                                    lineterminator='\n')
 
-        schema_writer.writerow(["Field", "Type", "Level", "Example", "ECS version"])
+        schema_writer.writerow(["ECS version", "Indexed", "Field", "Type", "Level", "Example", "Description"])
         for field in sorted_fields:
             schema_writer.writerow([
+                version,
+                field.get('index', True),
                 field['flat_name'],
                 field['type'],
                 field['level'],
                 field.get('example', ''),
-                version
+                field['short'],
             ])

From cfe5b44634e73c1e194f3acea7386f0b4f72052c Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 21 Nov 2019 00:13:17 -0500
Subject: [PATCH 2/7] Add 'Field Set' column as well

---
 generated/csv/fields.csv            | 922 ++++++++++++++--------------
 scripts/generators/csv_generator.py |   3 +-
 2 files changed, 463 insertions(+), 462 deletions(-)

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 7c8036578d..0a557711ca 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,461 +1,461 @@
-ECS version,Indexed,Field,Type,Level,Example,Description
-1.2.0-dev,True,@timestamp,date,core,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.2.0-dev,True,labels,object,core,"{'application': 'foo-bar', 'env': 'production'}",Custom key/value pairs.
-1.2.0-dev,True,message,text,core,Hello World,Log message optimized for viewing in a log viewer.
-1.2.0-dev,True,tags,keyword,core,"[""production"", ""env2""]",List of keywords used to tag each event.
-1.2.0-dev,True,agent.ephemeral_id,keyword,extended,8a4f500f,Ephemeral identifier of this agent.
-1.2.0-dev,True,agent.id,keyword,core,8a4f500d,Unique identifier of this agent.
-1.2.0-dev,True,agent.name,keyword,core,foo,Custom name of the agent.
-1.2.0-dev,True,agent.type,keyword,core,filebeat,Type of the agent.
-1.2.0-dev,True,agent.version,keyword,core,6.0.0-rc2,Version of the agent.
-1.2.0-dev,True,as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-1.2.0-dev,True,as.organization.name,keyword,extended,Google LLC,Organization name.
-1.2.0-dev,True,client.address,keyword,extended,,Client network address.
-1.2.0-dev,True,client.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-1.2.0-dev,True,client.as.organization.name,keyword,extended,Google LLC,Organization name.
-1.2.0-dev,True,client.bytes,long,core,184,Bytes sent from the client to the server.
-1.2.0-dev,True,client.domain,keyword,core,,Client domain.
-1.2.0-dev,True,client.geo.city_name,keyword,core,Montreal,City name.
-1.2.0-dev,True,client.geo.continent_name,keyword,core,North America,Name of the continent.
-1.2.0-dev,True,client.geo.country_iso_code,keyword,core,CA,Country ISO code.
-1.2.0-dev,True,client.geo.country_name,keyword,core,Canada,Country name.
-1.2.0-dev,True,client.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.2.0-dev,True,client.geo.name,keyword,extended,boston-dc,User-defined description of a location.
-1.2.0-dev,True,client.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
-1.2.0-dev,True,client.geo.region_name,keyword,core,Quebec,Region name.
-1.2.0-dev,True,client.ip,ip,core,,IP address of the client.
-1.2.0-dev,True,client.mac,keyword,core,,MAC address of the client.
-1.2.0-dev,True,client.nat.ip,ip,extended,,Client NAT ip address
-1.2.0-dev,True,client.nat.port,long,extended,,Client NAT port
-1.2.0-dev,True,client.packets,long,core,12,Packets sent from the client to the server.
-1.2.0-dev,True,client.port,long,core,,Port of the client.
-1.2.0-dev,True,client.registered_domain,keyword,extended,google.com,"The highest registered client domain, stripped of the subdomain."
-1.2.0-dev,True,client.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.2.0-dev,True,client.user.domain,keyword,extended,,Name of the directory the user is a member of.
-1.2.0-dev,True,client.user.email,keyword,extended,,User email address.
-1.2.0-dev,True,client.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
-1.2.0-dev,True,client.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
-1.2.0-dev,True,client.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
-1.2.0-dev,True,client.user.group.name,keyword,extended,,Name of the group.
-1.2.0-dev,True,client.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
-1.2.0-dev,True,client.user.id,keyword,core,,One or multiple unique identifiers of the user.
-1.2.0-dev,True,client.user.name,keyword,core,albert,Short name or login of the user.
-1.2.0-dev,True,cloud.account.id,keyword,extended,666777888999,The cloud account or organization id.
-1.2.0-dev,True,cloud.availability_zone,keyword,extended,us-east-1c,Availability zone in which this host is running.
-1.2.0-dev,True,cloud.instance.id,keyword,extended,i-1234567890abcdef0,Instance ID of the host machine.
-1.2.0-dev,True,cloud.instance.name,keyword,extended,,Instance name of the host machine.
-1.2.0-dev,True,cloud.machine.type,keyword,extended,t2.medium,Machine type of the host machine.
-1.2.0-dev,True,cloud.provider,keyword,extended,aws,Name of the cloud provider.
-1.2.0-dev,True,cloud.region,keyword,extended,us-east-1,Region in which this host is running.
-1.2.0-dev,True,container.id,keyword,core,,Unique container id.
-1.2.0-dev,True,container.image.name,keyword,extended,,Name of the image the container was built on.
-1.2.0-dev,True,container.image.tag,keyword,extended,,Container image tag.
-1.2.0-dev,True,container.labels,object,extended,,Image labels.
-1.2.0-dev,True,container.name,keyword,extended,,Container name.
-1.2.0-dev,True,container.runtime,keyword,extended,docker,Runtime managing this container.
-1.2.0-dev,True,destination.address,keyword,extended,,Destination network address.
-1.2.0-dev,True,destination.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-1.2.0-dev,True,destination.as.organization.name,keyword,extended,Google LLC,Organization name.
-1.2.0-dev,True,destination.bytes,long,core,184,Bytes sent from the destination to the source.
-1.2.0-dev,True,destination.domain,keyword,core,,Destination domain.
-1.2.0-dev,True,destination.geo.city_name,keyword,core,Montreal,City name.
-1.2.0-dev,True,destination.geo.continent_name,keyword,core,North America,Name of the continent.
-1.2.0-dev,True,destination.geo.country_iso_code,keyword,core,CA,Country ISO code.
-1.2.0-dev,True,destination.geo.country_name,keyword,core,Canada,Country name.
-1.2.0-dev,True,destination.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.2.0-dev,True,destination.geo.name,keyword,extended,boston-dc,User-defined description of a location.
-1.2.0-dev,True,destination.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
-1.2.0-dev,True,destination.geo.region_name,keyword,core,Quebec,Region name.
-1.2.0-dev,True,destination.ip,ip,core,,IP address of the destination.
-1.2.0-dev,True,destination.mac,keyword,core,,MAC address of the destination.
-1.2.0-dev,True,destination.nat.ip,ip,extended,,Destination NAT ip
-1.2.0-dev,True,destination.nat.port,long,extended,,Destination NAT Port
-1.2.0-dev,True,destination.packets,long,core,12,Packets sent from the destination to the source.
-1.2.0-dev,True,destination.port,long,core,,Port of the destination.
-1.2.0-dev,True,destination.registered_domain,keyword,extended,google.com,"The highest registered destination domain, stripped of the subdomain."
-1.2.0-dev,True,destination.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.2.0-dev,True,destination.user.domain,keyword,extended,,Name of the directory the user is a member of.
-1.2.0-dev,True,destination.user.email,keyword,extended,,User email address.
-1.2.0-dev,True,destination.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
-1.2.0-dev,True,destination.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
-1.2.0-dev,True,destination.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
-1.2.0-dev,True,destination.user.group.name,keyword,extended,,Name of the group.
-1.2.0-dev,True,destination.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
-1.2.0-dev,True,destination.user.id,keyword,core,,One or multiple unique identifiers of the user.
-1.2.0-dev,True,destination.user.name,keyword,core,albert,Short name or login of the user.
-1.2.0-dev,True,dns.answers,object,extended,,Array of DNS answers.
-1.2.0-dev,True,dns.answers.class,keyword,extended,IN,The class of DNS data contained in this resource record.
-1.2.0-dev,True,dns.answers.data,keyword,extended,10.10.10.10,The data describing the resource.
-1.2.0-dev,True,dns.answers.name,keyword,extended,www.google.com,The domain name to which this resource record pertains.
-1.2.0-dev,True,dns.answers.ttl,long,extended,180,The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
-1.2.0-dev,True,dns.answers.type,keyword,extended,CNAME,The type of data contained in this resource record.
-1.2.0-dev,True,dns.header_flags,keyword,extended,"['RD', 'RA']",Array of DNS header flags.
-1.2.0-dev,True,dns.id,keyword,extended,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-1.2.0-dev,True,dns.op_code,keyword,extended,QUERY,The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
-1.2.0-dev,True,dns.question.class,keyword,extended,IN,The class of of records being queried.
-1.2.0-dev,True,dns.question.name,keyword,extended,www.google.com,The name being queried.
-1.2.0-dev,True,dns.question.registered_domain,keyword,extended,google.com,"The highest registered domain, stripped of the subdomain."
-1.2.0-dev,True,dns.question.subdomain,keyword,extended,www,The subdomain of the domain.
-1.2.0-dev,True,dns.question.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.2.0-dev,True,dns.question.type,keyword,extended,AAAA,The type of record being queried.
-1.2.0-dev,True,dns.resolved_ip,ip,extended,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data
-1.2.0-dev,True,dns.response_code,keyword,extended,NOERROR,The DNS response code.
-1.2.0-dev,True,dns.type,keyword,extended,answer,"The type of DNS event captured, query or answer."
-1.2.0-dev,True,ecs.version,keyword,core,1.0.0,ECS version this event conforms to.
-1.2.0-dev,True,error.code,keyword,core,,Error code describing the error.
-1.2.0-dev,True,error.id,keyword,core,,Unique identifier for the error.
-1.2.0-dev,True,error.message,text,core,,Error message.
-1.2.0-dev,False,error.stack_trace,keyword,extended,,The stack trace of this error in plain text.
-1.2.0-dev,True,error.type,keyword,extended,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-1.2.0-dev,True,event.action,keyword,core,user-password-change,The action captured by the event.
-1.2.0-dev,True,event.category,keyword,core,user-management,Event category.
-1.2.0-dev,True,event.code,keyword,extended,4648,Identification code for this event.
-1.2.0-dev,True,event.created,date,core,2016-05-23 08:05:34.857000,Time when the event was first read by an agent or by your pipeline.
-1.2.0-dev,True,event.dataset,keyword,core,apache.access,Name of the dataset.
-1.2.0-dev,True,event.duration,long,core,,Duration of the event in nanoseconds.
-1.2.0-dev,True,event.end,date,extended,,event.end contains the date when the event ended or when the activity was last observed.
-1.2.0-dev,True,event.hash,keyword,extended,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-1.2.0-dev,True,event.id,keyword,core,8a4f500d,Unique ID to describe the event.
-1.2.0-dev,True,event.ingested,date,core,2016-05-23 08:05:35.101000,Timestamp when an event arrived in the central data store.
-1.2.0-dev,True,event.kind,keyword,extended,state,The kind of the event.
-1.2.0-dev,True,event.module,keyword,core,apache,Name of the module this data is coming from.
-1.2.0-dev,False,event.original,keyword,core,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-1.2.0-dev,True,event.outcome,keyword,extended,success,The outcome of the event.
-1.2.0-dev,True,event.provider,keyword,extended,kernel,Source of the event.
-1.2.0-dev,True,event.risk_score,float,core,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-1.2.0-dev,True,event.risk_score_norm,float,extended,,Normalized risk score or priority of the event (0-100).
-1.2.0-dev,True,event.sequence,long,extended,,Sequence number of the event.
-1.2.0-dev,True,event.severity,long,core,7,Numeric severity of the event.
-1.2.0-dev,True,event.start,date,extended,,event.start contains the date when the event started or when the activity was first observed.
-1.2.0-dev,True,event.timezone,keyword,extended,,Event time zone.
-1.2.0-dev,True,event.type,keyword,core,,Reserved for future usage.
-1.2.0-dev,True,file.accessed,date,extended,,Last time the file was accessed.
-1.2.0-dev,True,file.created,date,extended,,File creation time.
-1.2.0-dev,True,file.ctime,date,extended,,Last time the file attributes or metadata changed.
-1.2.0-dev,True,file.device,keyword,extended,sda,Device that is the source of the file.
-1.2.0-dev,True,file.directory,keyword,extended,/home/alice,Directory where the file is located.
-1.2.0-dev,True,file.extension,keyword,extended,png,File extension.
-1.2.0-dev,True,file.gid,keyword,extended,1001,Primary group ID (GID) of the file.
-1.2.0-dev,True,file.group,keyword,extended,alice,Primary group name of the file.
-1.2.0-dev,True,file.hash.md5,keyword,extended,,MD5 hash.
-1.2.0-dev,True,file.hash.sha1,keyword,extended,,SHA1 hash.
-1.2.0-dev,True,file.hash.sha256,keyword,extended,,SHA256 hash.
-1.2.0-dev,True,file.hash.sha512,keyword,extended,,SHA512 hash.
-1.2.0-dev,True,file.inode,keyword,extended,256383,Inode representing the file in the filesystem.
-1.2.0-dev,True,file.mode,keyword,extended,0640,Mode of the file in octal representation.
-1.2.0-dev,True,file.mtime,date,extended,,Last time the file content was modified.
-1.2.0-dev,True,file.name,keyword,extended,example.png,"Name of the file including the extension, without the directory."
-1.2.0-dev,True,file.owner,keyword,extended,alice,File owner's username.
-1.2.0-dev,True,file.path,keyword,extended,/home/alice/example.png,Full path to the file.
-1.2.0-dev,True,file.size,long,extended,16384,File size in bytes.
-1.2.0-dev,True,file.target_path,keyword,extended,,Target path for symlinks.
-1.2.0-dev,True,file.type,keyword,extended,file,"File type (file, dir, or symlink)."
-1.2.0-dev,True,file.uid,keyword,extended,1001,The user ID (UID) or security identifier (SID) of the file owner.
-1.2.0-dev,True,geo.city_name,keyword,core,Montreal,City name.
-1.2.0-dev,True,geo.continent_name,keyword,core,North America,Name of the continent.
-1.2.0-dev,True,geo.country_iso_code,keyword,core,CA,Country ISO code.
-1.2.0-dev,True,geo.country_name,keyword,core,Canada,Country name.
-1.2.0-dev,True,geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.2.0-dev,True,geo.name,keyword,extended,boston-dc,User-defined description of a location.
-1.2.0-dev,True,geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
-1.2.0-dev,True,geo.region_name,keyword,core,Quebec,Region name.
-1.2.0-dev,True,group.domain,keyword,extended,,Name of the directory the group is a member of.
-1.2.0-dev,True,group.id,keyword,extended,,Unique identifier for the group on the system/platform.
-1.2.0-dev,True,group.name,keyword,extended,,Name of the group.
-1.2.0-dev,True,hash.md5,keyword,extended,,MD5 hash.
-1.2.0-dev,True,hash.sha1,keyword,extended,,SHA1 hash.
-1.2.0-dev,True,hash.sha256,keyword,extended,,SHA256 hash.
-1.2.0-dev,True,hash.sha512,keyword,extended,,SHA512 hash.
-1.2.0-dev,True,host.architecture,keyword,core,x86_64,Operating system architecture.
-1.2.0-dev,True,host.domain,keyword,extended,CONTOSO,Name of the directory the group is a member of.
-1.2.0-dev,True,host.geo.city_name,keyword,core,Montreal,City name.
-1.2.0-dev,True,host.geo.continent_name,keyword,core,North America,Name of the continent.
-1.2.0-dev,True,host.geo.country_iso_code,keyword,core,CA,Country ISO code.
-1.2.0-dev,True,host.geo.country_name,keyword,core,Canada,Country name.
-1.2.0-dev,True,host.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.2.0-dev,True,host.geo.name,keyword,extended,boston-dc,User-defined description of a location.
-1.2.0-dev,True,host.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
-1.2.0-dev,True,host.geo.region_name,keyword,core,Quebec,Region name.
-1.2.0-dev,True,host.hostname,keyword,core,,Hostname of the host.
-1.2.0-dev,True,host.id,keyword,core,,Unique host id.
-1.2.0-dev,True,host.ip,ip,core,,Host ip address.
-1.2.0-dev,True,host.mac,keyword,core,,Host mac address.
-1.2.0-dev,True,host.name,keyword,core,,Name of the host.
-1.2.0-dev,True,host.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.2.0-dev,True,host.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
-1.2.0-dev,True,host.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.2.0-dev,True,host.os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
-1.2.0-dev,True,host.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.2.0-dev,True,host.os.version,keyword,extended,10.14.1,Operating system version as a raw string.
-1.2.0-dev,True,host.type,keyword,core,,Type of host.
-1.2.0-dev,True,host.uptime,long,extended,1325,Seconds the host has been up.
-1.2.0-dev,True,host.user.domain,keyword,extended,,Name of the directory the user is a member of.
-1.2.0-dev,True,host.user.email,keyword,extended,,User email address.
-1.2.0-dev,True,host.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
-1.2.0-dev,True,host.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
-1.2.0-dev,True,host.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
-1.2.0-dev,True,host.user.group.name,keyword,extended,,Name of the group.
-1.2.0-dev,True,host.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
-1.2.0-dev,True,host.user.id,keyword,core,,One or multiple unique identifiers of the user.
-1.2.0-dev,True,host.user.name,keyword,core,albert,Short name or login of the user.
-1.2.0-dev,True,http.request.body.bytes,long,extended,887,Size in bytes of the request body.
-1.2.0-dev,True,http.request.body.content,keyword,extended,Hello world,The full HTTP request body.
-1.2.0-dev,True,http.request.bytes,long,extended,1437,Total size in bytes of the request (body and headers).
-1.2.0-dev,True,http.request.method,keyword,extended,"get, post, put",HTTP request method.
-1.2.0-dev,True,http.request.referrer,keyword,extended,https://blog.example.com/,Referrer for this HTTP request.
-1.2.0-dev,True,http.response.body.bytes,long,extended,887,Size in bytes of the response body.
-1.2.0-dev,True,http.response.body.content,keyword,extended,Hello world,The full HTTP response body.
-1.2.0-dev,True,http.response.bytes,long,extended,1437,Total size in bytes of the response (body and headers).
-1.2.0-dev,True,http.response.status_code,long,extended,404,HTTP response status code.
-1.2.0-dev,True,http.version,keyword,extended,1.1,HTTP version.
-1.2.0-dev,True,log.level,keyword,core,error,Log level of the log event.
-1.2.0-dev,True,log.logger,keyword,core,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-1.2.0-dev,True,log.origin.file.line,integer,extended,42,The line number of the file which originated the log event.
-1.2.0-dev,True,log.origin.file.name,keyword,extended,Bootstrap.java,The file which originated the log event.
-1.2.0-dev,True,log.origin.function,keyword,extended,init,The function which originated the log event.
-1.2.0-dev,False,log.original,keyword,core,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
-1.2.0-dev,True,log.syslog,object,extended,,Syslog metadata
-1.2.0-dev,True,log.syslog.facility.code,long,extended,23,Syslog numeric facility of the event.
-1.2.0-dev,True,log.syslog.facility.name,keyword,extended,local7,Syslog text-based facility of the event.
-1.2.0-dev,True,log.syslog.priority,long,extended,135,Syslog priority of the event.
-1.2.0-dev,True,log.syslog.severity.code,long,extended,3,Syslog numeric severity of the event.
-1.2.0-dev,True,log.syslog.severity.name,keyword,extended,Error,Syslog text-based severity of the event.
-1.2.0-dev,True,network.application,keyword,extended,aim,Application level protocol name.
-1.2.0-dev,True,network.bytes,long,core,368,Total bytes transferred in both directions.
-1.2.0-dev,True,network.community_id,keyword,extended,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-1.2.0-dev,True,network.direction,keyword,core,inbound,Direction of the network traffic.
-1.2.0-dev,True,network.forwarded_ip,ip,core,192.1.1.2,Host IP address when the source IP address is the proxy.
-1.2.0-dev,True,network.iana_number,keyword,extended,6,IANA Protocol Number.
-1.2.0-dev,True,network.name,keyword,extended,Guest Wifi,Name given by operators to sections of their network.
-1.2.0-dev,True,network.packets,long,core,24,Total packets transferred in both directions.
-1.2.0-dev,True,network.protocol,keyword,core,http,L7 Network protocol name.
-1.2.0-dev,True,network.transport,keyword,core,tcp,Protocol Name corresponding to the field `iana_number`.
-1.2.0-dev,True,network.type,keyword,core,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-1.2.0-dev,True,observer.geo.city_name,keyword,core,Montreal,City name.
-1.2.0-dev,True,observer.geo.continent_name,keyword,core,North America,Name of the continent.
-1.2.0-dev,True,observer.geo.country_iso_code,keyword,core,CA,Country ISO code.
-1.2.0-dev,True,observer.geo.country_name,keyword,core,Canada,Country name.
-1.2.0-dev,True,observer.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.2.0-dev,True,observer.geo.name,keyword,extended,boston-dc,User-defined description of a location.
-1.2.0-dev,True,observer.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
-1.2.0-dev,True,observer.geo.region_name,keyword,core,Quebec,Region name.
-1.2.0-dev,True,observer.hostname,keyword,core,,Hostname of the observer.
-1.2.0-dev,True,observer.ip,ip,core,,IP address of the observer.
-1.2.0-dev,True,observer.mac,keyword,core,,MAC address of the observer
-1.2.0-dev,True,observer.name,keyword,extended,1_proxySG,Custom name of the observer.
-1.2.0-dev,True,observer.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.2.0-dev,True,observer.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
-1.2.0-dev,True,observer.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.2.0-dev,True,observer.os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
-1.2.0-dev,True,observer.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.2.0-dev,True,observer.os.version,keyword,extended,10.14.1,Operating system version as a raw string.
-1.2.0-dev,True,observer.product,keyword,extended,s200,The product name of the observer.
-1.2.0-dev,True,observer.serial_number,keyword,extended,,Observer serial number.
-1.2.0-dev,True,observer.type,keyword,core,firewall,The type of the observer the data is coming from.
-1.2.0-dev,True,observer.vendor,keyword,core,Symantec,Vendor name of the observer.
-1.2.0-dev,True,observer.version,keyword,core,,Observer version.
-1.2.0-dev,True,organization.id,keyword,extended,,Unique identifier for the organization.
-1.2.0-dev,True,organization.name,keyword,extended,,Organization name.
-1.2.0-dev,True,os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.2.0-dev,True,os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
-1.2.0-dev,True,os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.2.0-dev,True,os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
-1.2.0-dev,True,os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.2.0-dev,True,os.version,keyword,extended,10.14.1,Operating system version as a raw string.
-1.2.0-dev,True,package.architecture,keyword,extended,x86_64,Package architecture.
-1.2.0-dev,True,package.build_version,keyword,extended,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-1.2.0-dev,True,package.checksum,keyword,extended,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-1.2.0-dev,True,package.description,keyword,extended,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-1.2.0-dev,True,package.install_scope,keyword,extended,global,"Indicating how the package was installed, e.g. user-local, global."
-1.2.0-dev,True,package.installed,date,extended,,Time when package was installed.
-1.2.0-dev,True,package.license,keyword,extended,Apache License 2.0,Package license
-1.2.0-dev,True,package.name,keyword,extended,go,Package name
-1.2.0-dev,True,package.path,keyword,extended,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-1.2.0-dev,True,package.reference,keyword,extended,https://golang.org,Package reference URL
-1.2.0-dev,True,package.size,long,extended,62231,Package size in bytes.
-1.2.0-dev,True,package.type,keyword,extended,rpm,Package type
-1.2.0-dev,True,package.version,keyword,extended,1.12.9,Package version
-1.2.0-dev,True,process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
-1.2.0-dev,True,process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.2.0-dev,True,process.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable.
-1.2.0-dev,True,process.exit_code,long,extended,137,The exit code of the process.
-1.2.0-dev,True,process.hash.md5,keyword,extended,,MD5 hash.
-1.2.0-dev,True,process.hash.sha1,keyword,extended,,SHA1 hash.
-1.2.0-dev,True,process.hash.sha256,keyword,extended,,SHA256 hash.
-1.2.0-dev,True,process.hash.sha512,keyword,extended,,SHA512 hash.
-1.2.0-dev,True,process.name,keyword,extended,ssh,Process name.
-1.2.0-dev,True,process.parent.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
-1.2.0-dev,True,process.parent.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-1.2.0-dev,True,process.parent.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable.
-1.2.0-dev,True,process.parent.exit_code,long,extended,137,The exit code of the process.
-1.2.0-dev,True,process.parent.name,keyword,extended,ssh,Process name.
-1.2.0-dev,True,process.parent.pgid,long,extended,,Identifier of the group of processes the process belongs to.
-1.2.0-dev,True,process.parent.pid,long,core,4242,Process id.
-1.2.0-dev,True,process.parent.ppid,long,extended,4241,Parent process' pid.
-1.2.0-dev,True,process.parent.start,date,extended,2016-05-23T08:05:34.853Z,The time the process started.
-1.2.0-dev,True,process.parent.thread.id,long,extended,4242,Thread ID.
-1.2.0-dev,True,process.parent.thread.name,keyword,extended,thread-0,Thread name.
-1.2.0-dev,True,process.parent.title,keyword,extended,,Process title.
-1.2.0-dev,True,process.parent.uptime,long,extended,1325,Seconds the process has been up.
-1.2.0-dev,True,process.parent.working_directory,keyword,extended,/home/alice,The working directory of the process.
-1.2.0-dev,True,process.pgid,long,extended,,Identifier of the group of processes the process belongs to.
-1.2.0-dev,True,process.pid,long,core,4242,Process id.
-1.2.0-dev,True,process.ppid,long,extended,4241,Parent process' pid.
-1.2.0-dev,True,process.start,date,extended,2016-05-23T08:05:34.853Z,The time the process started.
-1.2.0-dev,True,process.thread.id,long,extended,4242,Thread ID.
-1.2.0-dev,True,process.thread.name,keyword,extended,thread-0,Thread name.
-1.2.0-dev,True,process.title,keyword,extended,,Process title.
-1.2.0-dev,True,process.uptime,long,extended,1325,Seconds the process has been up.
-1.2.0-dev,True,process.working_directory,keyword,extended,/home/alice,The working directory of the process.
-1.2.0-dev,True,related.ip,ip,extended,,All of the IPs seen on your event.
-1.2.0-dev,True,server.address,keyword,extended,,Server network address.
-1.2.0-dev,True,server.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-1.2.0-dev,True,server.as.organization.name,keyword,extended,Google LLC,Organization name.
-1.2.0-dev,True,server.bytes,long,core,184,Bytes sent from the server to the client.
-1.2.0-dev,True,server.domain,keyword,core,,Server domain.
-1.2.0-dev,True,server.geo.city_name,keyword,core,Montreal,City name.
-1.2.0-dev,True,server.geo.continent_name,keyword,core,North America,Name of the continent.
-1.2.0-dev,True,server.geo.country_iso_code,keyword,core,CA,Country ISO code.
-1.2.0-dev,True,server.geo.country_name,keyword,core,Canada,Country name.
-1.2.0-dev,True,server.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.2.0-dev,True,server.geo.name,keyword,extended,boston-dc,User-defined description of a location.
-1.2.0-dev,True,server.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
-1.2.0-dev,True,server.geo.region_name,keyword,core,Quebec,Region name.
-1.2.0-dev,True,server.ip,ip,core,,IP address of the server.
-1.2.0-dev,True,server.mac,keyword,core,,MAC address of the server.
-1.2.0-dev,True,server.nat.ip,ip,extended,,Server NAT ip
-1.2.0-dev,True,server.nat.port,long,extended,,Server NAT port
-1.2.0-dev,True,server.packets,long,core,12,Packets sent from the server to the client.
-1.2.0-dev,True,server.port,long,core,,Port of the server.
-1.2.0-dev,True,server.registered_domain,keyword,extended,google.com,"The highest registered server domain, stripped of the subdomain."
-1.2.0-dev,True,server.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.2.0-dev,True,server.user.domain,keyword,extended,,Name of the directory the user is a member of.
-1.2.0-dev,True,server.user.email,keyword,extended,,User email address.
-1.2.0-dev,True,server.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
-1.2.0-dev,True,server.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
-1.2.0-dev,True,server.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
-1.2.0-dev,True,server.user.group.name,keyword,extended,,Name of the group.
-1.2.0-dev,True,server.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
-1.2.0-dev,True,server.user.id,keyword,core,,One or multiple unique identifiers of the user.
-1.2.0-dev,True,server.user.name,keyword,core,albert,Short name or login of the user.
-1.2.0-dev,True,service.ephemeral_id,keyword,extended,8a4f500f,Ephemeral identifier of this service.
-1.2.0-dev,True,service.id,keyword,core,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-1.2.0-dev,True,service.name,keyword,core,elasticsearch-metrics,Name of the service.
-1.2.0-dev,True,service.node.name,keyword,extended,instance-0000000016,Name of the service node.
-1.2.0-dev,True,service.state,keyword,core,,Current state of the service.
-1.2.0-dev,True,service.type,keyword,core,elasticsearch,The type of the service.
-1.2.0-dev,True,service.version,keyword,core,3.2.4,Version of the service.
-1.2.0-dev,True,source.address,keyword,extended,,Source network address.
-1.2.0-dev,True,source.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-1.2.0-dev,True,source.as.organization.name,keyword,extended,Google LLC,Organization name.
-1.2.0-dev,True,source.bytes,long,core,184,Bytes sent from the source to the destination.
-1.2.0-dev,True,source.domain,keyword,core,,Source domain.
-1.2.0-dev,True,source.geo.city_name,keyword,core,Montreal,City name.
-1.2.0-dev,True,source.geo.continent_name,keyword,core,North America,Name of the continent.
-1.2.0-dev,True,source.geo.country_iso_code,keyword,core,CA,Country ISO code.
-1.2.0-dev,True,source.geo.country_name,keyword,core,Canada,Country name.
-1.2.0-dev,True,source.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-1.2.0-dev,True,source.geo.name,keyword,extended,boston-dc,User-defined description of a location.
-1.2.0-dev,True,source.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
-1.2.0-dev,True,source.geo.region_name,keyword,core,Quebec,Region name.
-1.2.0-dev,True,source.ip,ip,core,,IP address of the source.
-1.2.0-dev,True,source.mac,keyword,core,,MAC address of the source.
-1.2.0-dev,True,source.nat.ip,ip,extended,,Source NAT ip
-1.2.0-dev,True,source.nat.port,long,extended,,Source NAT port
-1.2.0-dev,True,source.packets,long,core,12,Packets sent from the source to the destination.
-1.2.0-dev,True,source.port,long,core,,Port of the source.
-1.2.0-dev,True,source.registered_domain,keyword,extended,google.com,"The highest registered source domain, stripped of the subdomain."
-1.2.0-dev,True,source.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.2.0-dev,True,source.user.domain,keyword,extended,,Name of the directory the user is a member of.
-1.2.0-dev,True,source.user.email,keyword,extended,,User email address.
-1.2.0-dev,True,source.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
-1.2.0-dev,True,source.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
-1.2.0-dev,True,source.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
-1.2.0-dev,True,source.user.group.name,keyword,extended,,Name of the group.
-1.2.0-dev,True,source.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
-1.2.0-dev,True,source.user.id,keyword,core,,One or multiple unique identifiers of the user.
-1.2.0-dev,True,source.user.name,keyword,core,albert,Short name or login of the user.
-1.2.0-dev,True,threat.framework,keyword,extended,MITRE ATT&CK,Threat classification framework.
-1.2.0-dev,True,threat.tactic.id,keyword,extended,TA0040,Threat tactic id.
-1.2.0-dev,True,threat.tactic.name,keyword,extended,impact,Threat tactic.
-1.2.0-dev,True,threat.tactic.reference,keyword,extended,https://attack.mitre.org/tactics/TA0040/,Threat tactic url reference.
-1.2.0-dev,True,threat.technique.id,keyword,extended,T1499,Threat technique id.
-1.2.0-dev,True,threat.technique.name,keyword,extended,endpoint denial of service,Threat technique name.
-1.2.0-dev,True,threat.technique.reference,keyword,extended,https://attack.mitre.org/techniques/T1499/,Threat technique reference.
-1.2.0-dev,True,tls.cipher,keyword,extended,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-1.2.0-dev,True,tls.client.certificate,keyword,extended,MII...,PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
-1.2.0-dev,True,tls.client.certificate_chain,keyword,extended,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
-1.2.0-dev,True,tls.client.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash."
-1.2.0-dev,True,tls.client.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash."
-1.2.0-dev,True,tls.client.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash."
-1.2.0-dev,True,tls.client.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-1.2.0-dev,True,tls.client.ja3,keyword,extended,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-1.2.0-dev,True,tls.client.not_after,date,extended,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-1.2.0-dev,True,tls.client.not_before,date,extended,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-1.2.0-dev,True,tls.client.server_name,keyword,extended,www.elastic.co,"Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`."
-1.2.0-dev,True,tls.client.subject,keyword,extended,"CN=myclient, OU=Documentation Team, DC=mydomain, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-1.2.0-dev,True,tls.client.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello.
-1.2.0-dev,True,tls.curve,keyword,extended,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-1.2.0-dev,True,tls.established,boolean,extended,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-1.2.0-dev,True,tls.next_protocol,keyword,extended,http/1.1,"String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case."
-1.2.0-dev,True,tls.resumed,boolean,extended,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-1.2.0-dev,True,tls.server.certificate,keyword,extended,MII...,PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
-1.2.0-dev,True,tls.server.certificate_chain,keyword,extended,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
-1.2.0-dev,True,tls.server.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash."
-1.2.0-dev,True,tls.server.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash."
-1.2.0-dev,True,tls.server.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash."
-1.2.0-dev,True,tls.server.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-1.2.0-dev,True,tls.server.ja3s,keyword,extended,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-1.2.0-dev,True,tls.server.not_after,date,extended,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-1.2.0-dev,True,tls.server.not_before,date,extended,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-1.2.0-dev,True,tls.server.subject,keyword,extended,"CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the x.509 certificate presented by the server.
-1.2.0-dev,True,tls.server.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the server during the server hello.
-1.2.0-dev,True,tls.version,keyword,extended,1.2,Numeric part of the version parsed from the original string.
-1.2.0-dev,True,tls.version_protocol,keyword,extended,tls,Normalized lowercase protocol name parsed from original string.
-1.2.0-dev,True,trace.id,keyword,extended,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-1.2.0-dev,True,transaction.id,keyword,extended,00f067aa0ba902b7,Unique identifier of the transaction.
-1.2.0-dev,True,url.domain,keyword,extended,www.elastic.co,Domain of the url.
-1.2.0-dev,True,url.extension,keyword,extended,png,File extension from the original request url.
-1.2.0-dev,True,url.fragment,keyword,extended,,Portion of the url after the `#`.
-1.2.0-dev,True,url.full,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-1.2.0-dev,True,url.original,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-1.2.0-dev,True,url.password,keyword,extended,,Password of the request.
-1.2.0-dev,True,url.path,keyword,extended,,"Path of the request, such as ""/search""."
-1.2.0-dev,True,url.port,long,extended,443,"Port of the request, such as 443."
-1.2.0-dev,True,url.query,keyword,extended,,Query string of the request.
-1.2.0-dev,True,url.registered_domain,keyword,extended,google.com,"The highest registered url domain, stripped of the subdomain."
-1.2.0-dev,True,url.scheme,keyword,extended,https,Scheme of the url.
-1.2.0-dev,True,url.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
-1.2.0-dev,True,url.username,keyword,extended,,Username of the request.
-1.2.0-dev,True,user.domain,keyword,extended,,Name of the directory the user is a member of.
-1.2.0-dev,True,user.email,keyword,extended,,User email address.
-1.2.0-dev,True,user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
-1.2.0-dev,True,user.group.domain,keyword,extended,,Name of the directory the group is a member of.
-1.2.0-dev,True,user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
-1.2.0-dev,True,user.group.name,keyword,extended,,Name of the group.
-1.2.0-dev,True,user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
-1.2.0-dev,True,user.id,keyword,core,,One or multiple unique identifiers of the user.
-1.2.0-dev,True,user.name,keyword,core,albert,Short name or login of the user.
-1.2.0-dev,True,user_agent.device.name,keyword,extended,iPhone,Name of the device.
-1.2.0-dev,True,user_agent.name,keyword,extended,Safari,Name of the user agent.
-1.2.0-dev,True,user_agent.original,keyword,extended,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed version of the user_agent.
-1.2.0-dev,True,user_agent.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
-1.2.0-dev,True,user_agent.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
-1.2.0-dev,True,user_agent.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
-1.2.0-dev,True,user_agent.os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
-1.2.0-dev,True,user_agent.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
-1.2.0-dev,True,user_agent.os.version,keyword,extended,10.14.1,Operating system version as a raw string.
-1.2.0-dev,True,user_agent.version,keyword,extended,12.0,Version of the user agent.
-1.2.0-dev,True,vulnerability.category,keyword,extended,"[""Firewall""]",Category of a vulnerability.
-1.2.0-dev,True,vulnerability.classification,keyword,extended,CVSS,Classification of the vulnerability.
-1.2.0-dev,True,vulnerability.description,keyword,extended,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-1.2.0-dev,True,vulnerability.enumeration,keyword,extended,CVE,Identifier of the vulnerability.
-1.2.0-dev,True,vulnerability.id,keyword,extended,CVE-2019-00001,ID of the vulnerability.
-1.2.0-dev,True,vulnerability.reference,keyword,extended,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-1.2.0-dev,True,vulnerability.report_id,keyword,extended,20191018.0001,Scan identification number.
-1.2.0-dev,True,vulnerability.scanner.vendor,keyword,extended,Tenable,Name of the scanner vendor.
-1.2.0-dev,True,vulnerability.score.base,float,extended,5.5,Vulnerability Base score.
-1.2.0-dev,True,vulnerability.score.environmental,float,extended,5.5,Vulnerability Environmental score.
-1.2.0-dev,True,vulnerability.score.temporal,float,extended,,Vulnerability Temporal score.
-1.2.0-dev,True,vulnerability.score.version,keyword,extended,2.0,CVSS version.
-1.2.0-dev,True,vulnerability.severity,keyword,extended,Critical,Severity of the vulnerability.
+ECS version,Indexed,Field Set,Field,Type,Level,Example,Description
+1.2.0-dev,True,@timestamp,@timestamp,date,core,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.2.0-dev,True,labels,labels,object,core,"{'application': 'foo-bar', 'env': 'production'}",Custom key/value pairs.
+1.2.0-dev,True,message,message,text,core,Hello World,Log message optimized for viewing in a log viewer.
+1.2.0-dev,True,tags,tags,keyword,core,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.2.0-dev,True,agent,agent.ephemeral_id,keyword,extended,8a4f500f,Ephemeral identifier of this agent.
+1.2.0-dev,True,agent,agent.id,keyword,core,8a4f500d,Unique identifier of this agent.
+1.2.0-dev,True,agent,agent.name,keyword,core,foo,Custom name of the agent.
+1.2.0-dev,True,agent,agent.type,keyword,core,filebeat,Type of the agent.
+1.2.0-dev,True,agent,agent.version,keyword,core,6.0.0-rc2,Version of the agent.
+1.2.0-dev,True,as,as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,as,as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,client,client.address,keyword,extended,,Client network address.
+1.2.0-dev,True,client,client.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,client,client.as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,client,client.bytes,long,core,184,Bytes sent from the client to the server.
+1.2.0-dev,True,client,client.domain,keyword,core,,Client domain.
+1.2.0-dev,True,client,client.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,client,client.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,client,client.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,client,client.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,client,client.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,client,client.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,client,client.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,client,client.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,client,client.ip,ip,core,,IP address of the client.
+1.2.0-dev,True,client,client.mac,keyword,core,,MAC address of the client.
+1.2.0-dev,True,client,client.nat.ip,ip,extended,,Client NAT ip address
+1.2.0-dev,True,client,client.nat.port,long,extended,,Client NAT port
+1.2.0-dev,True,client,client.packets,long,core,12,Packets sent from the client to the server.
+1.2.0-dev,True,client,client.port,long,core,,Port of the client.
+1.2.0-dev,True,client,client.registered_domain,keyword,extended,google.com,"The highest registered client domain, stripped of the subdomain."
+1.2.0-dev,True,client,client.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,client,client.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,client,client.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,client,client.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,client,client.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,client,client.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,client,client.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,client,client.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,client,client.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,client,client.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,cloud,cloud.account.id,keyword,extended,666777888999,The cloud account or organization id.
+1.2.0-dev,True,cloud,cloud.availability_zone,keyword,extended,us-east-1c,Availability zone in which this host is running.
+1.2.0-dev,True,cloud,cloud.instance.id,keyword,extended,i-1234567890abcdef0,Instance ID of the host machine.
+1.2.0-dev,True,cloud,cloud.instance.name,keyword,extended,,Instance name of the host machine.
+1.2.0-dev,True,cloud,cloud.machine.type,keyword,extended,t2.medium,Machine type of the host machine.
+1.2.0-dev,True,cloud,cloud.provider,keyword,extended,aws,Name of the cloud provider.
+1.2.0-dev,True,cloud,cloud.region,keyword,extended,us-east-1,Region in which this host is running.
+1.2.0-dev,True,container,container.id,keyword,core,,Unique container id.
+1.2.0-dev,True,container,container.image.name,keyword,extended,,Name of the image the container was built on.
+1.2.0-dev,True,container,container.image.tag,keyword,extended,,Container image tag.
+1.2.0-dev,True,container,container.labels,object,extended,,Image labels.
+1.2.0-dev,True,container,container.name,keyword,extended,,Container name.
+1.2.0-dev,True,container,container.runtime,keyword,extended,docker,Runtime managing this container.
+1.2.0-dev,True,destination,destination.address,keyword,extended,,Destination network address.
+1.2.0-dev,True,destination,destination.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,destination,destination.as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,destination,destination.bytes,long,core,184,Bytes sent from the destination to the source.
+1.2.0-dev,True,destination,destination.domain,keyword,core,,Destination domain.
+1.2.0-dev,True,destination,destination.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,destination,destination.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,destination,destination.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,destination,destination.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,destination,destination.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,destination,destination.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,destination,destination.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,destination,destination.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,destination,destination.ip,ip,core,,IP address of the destination.
+1.2.0-dev,True,destination,destination.mac,keyword,core,,MAC address of the destination.
+1.2.0-dev,True,destination,destination.nat.ip,ip,extended,,Destination NAT ip
+1.2.0-dev,True,destination,destination.nat.port,long,extended,,Destination NAT Port
+1.2.0-dev,True,destination,destination.packets,long,core,12,Packets sent from the destination to the source.
+1.2.0-dev,True,destination,destination.port,long,core,,Port of the destination.
+1.2.0-dev,True,destination,destination.registered_domain,keyword,extended,google.com,"The highest registered destination domain, stripped of the subdomain."
+1.2.0-dev,True,destination,destination.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,destination,destination.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,destination,destination.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,destination,destination.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,destination,destination.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,destination,destination.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,destination,destination.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,destination,destination.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,destination,destination.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,destination,destination.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,dns,dns.answers,object,extended,,Array of DNS answers.
+1.2.0-dev,True,dns,dns.answers.class,keyword,extended,IN,The class of DNS data contained in this resource record.
+1.2.0-dev,True,dns,dns.answers.data,keyword,extended,10.10.10.10,The data describing the resource.
+1.2.0-dev,True,dns,dns.answers.name,keyword,extended,www.google.com,The domain name to which this resource record pertains.
+1.2.0-dev,True,dns,dns.answers.ttl,long,extended,180,The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+1.2.0-dev,True,dns,dns.answers.type,keyword,extended,CNAME,The type of data contained in this resource record.
+1.2.0-dev,True,dns,dns.header_flags,keyword,extended,"['RD', 'RA']",Array of DNS header flags.
+1.2.0-dev,True,dns,dns.id,keyword,extended,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+1.2.0-dev,True,dns,dns.op_code,keyword,extended,QUERY,The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
+1.2.0-dev,True,dns,dns.question.class,keyword,extended,IN,The class of of records being queried.
+1.2.0-dev,True,dns,dns.question.name,keyword,extended,www.google.com,The name being queried.
+1.2.0-dev,True,dns,dns.question.registered_domain,keyword,extended,google.com,"The highest registered domain, stripped of the subdomain."
+1.2.0-dev,True,dns,dns.question.subdomain,keyword,extended,www,The subdomain of the domain.
+1.2.0-dev,True,dns,dns.question.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,dns,dns.question.type,keyword,extended,AAAA,The type of record being queried.
+1.2.0-dev,True,dns,dns.resolved_ip,ip,extended,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data
+1.2.0-dev,True,dns,dns.response_code,keyword,extended,NOERROR,The DNS response code.
+1.2.0-dev,True,dns,dns.type,keyword,extended,answer,"The type of DNS event captured, query or answer."
+1.2.0-dev,True,ecs,ecs.version,keyword,core,1.0.0,ECS version this event conforms to.
+1.2.0-dev,True,error,error.code,keyword,core,,Error code describing the error.
+1.2.0-dev,True,error,error.id,keyword,core,,Unique identifier for the error.
+1.2.0-dev,True,error,error.message,text,core,,Error message.
+1.2.0-dev,False,error,error.stack_trace,keyword,extended,,The stack trace of this error in plain text.
+1.2.0-dev,True,error,error.type,keyword,extended,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+1.2.0-dev,True,event,event.action,keyword,core,user-password-change,The action captured by the event.
+1.2.0-dev,True,event,event.category,keyword,core,user-management,Event category.
+1.2.0-dev,True,event,event.code,keyword,extended,4648,Identification code for this event.
+1.2.0-dev,True,event,event.created,date,core,2016-05-23 08:05:34.857000,Time when the event was first read by an agent or by your pipeline.
+1.2.0-dev,True,event,event.dataset,keyword,core,apache.access,Name of the dataset.
+1.2.0-dev,True,event,event.duration,long,core,,Duration of the event in nanoseconds.
+1.2.0-dev,True,event,event.end,date,extended,,event.end contains the date when the event ended or when the activity was last observed.
+1.2.0-dev,True,event,event.hash,keyword,extended,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+1.2.0-dev,True,event,event.id,keyword,core,8a4f500d,Unique ID to describe the event.
+1.2.0-dev,True,event,event.ingested,date,core,2016-05-23 08:05:35.101000,Timestamp when an event arrived in the central data store.
+1.2.0-dev,True,event,event.kind,keyword,extended,state,The kind of the event.
+1.2.0-dev,True,event,event.module,keyword,core,apache,Name of the module this data is coming from.
+1.2.0-dev,False,event,event.original,keyword,core,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+1.2.0-dev,True,event,event.outcome,keyword,extended,success,The outcome of the event.
+1.2.0-dev,True,event,event.provider,keyword,extended,kernel,Source of the event.
+1.2.0-dev,True,event,event.risk_score,float,core,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+1.2.0-dev,True,event,event.risk_score_norm,float,extended,,Normalized risk score or priority of the event (0-100).
+1.2.0-dev,True,event,event.sequence,long,extended,,Sequence number of the event.
+1.2.0-dev,True,event,event.severity,long,core,7,Numeric severity of the event.
+1.2.0-dev,True,event,event.start,date,extended,,event.start contains the date when the event started or when the activity was first observed.
+1.2.0-dev,True,event,event.timezone,keyword,extended,,Event time zone.
+1.2.0-dev,True,event,event.type,keyword,core,,Reserved for future usage.
+1.2.0-dev,True,file,file.accessed,date,extended,,Last time the file was accessed.
+1.2.0-dev,True,file,file.created,date,extended,,File creation time.
+1.2.0-dev,True,file,file.ctime,date,extended,,Last time the file attributes or metadata changed.
+1.2.0-dev,True,file,file.device,keyword,extended,sda,Device that is the source of the file.
+1.2.0-dev,True,file,file.directory,keyword,extended,/home/alice,Directory where the file is located.
+1.2.0-dev,True,file,file.extension,keyword,extended,png,File extension.
+1.2.0-dev,True,file,file.gid,keyword,extended,1001,Primary group ID (GID) of the file.
+1.2.0-dev,True,file,file.group,keyword,extended,alice,Primary group name of the file.
+1.2.0-dev,True,file,file.hash.md5,keyword,extended,,MD5 hash.
+1.2.0-dev,True,file,file.hash.sha1,keyword,extended,,SHA1 hash.
+1.2.0-dev,True,file,file.hash.sha256,keyword,extended,,SHA256 hash.
+1.2.0-dev,True,file,file.hash.sha512,keyword,extended,,SHA512 hash.
+1.2.0-dev,True,file,file.inode,keyword,extended,256383,Inode representing the file in the filesystem.
+1.2.0-dev,True,file,file.mode,keyword,extended,0640,Mode of the file in octal representation.
+1.2.0-dev,True,file,file.mtime,date,extended,,Last time the file content was modified.
+1.2.0-dev,True,file,file.name,keyword,extended,example.png,"Name of the file including the extension, without the directory."
+1.2.0-dev,True,file,file.owner,keyword,extended,alice,File owner's username.
+1.2.0-dev,True,file,file.path,keyword,extended,/home/alice/example.png,Full path to the file.
+1.2.0-dev,True,file,file.size,long,extended,16384,File size in bytes.
+1.2.0-dev,True,file,file.target_path,keyword,extended,,Target path for symlinks.
+1.2.0-dev,True,file,file.type,keyword,extended,file,"File type (file, dir, or symlink)."
+1.2.0-dev,True,file,file.uid,keyword,extended,1001,The user ID (UID) or security identifier (SID) of the file owner.
+1.2.0-dev,True,geo,geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,geo,geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,geo,geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,geo,geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,geo,geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,geo,geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,geo,geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,geo,geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,group,group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,group,group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,group,group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,hash,hash.md5,keyword,extended,,MD5 hash.
+1.2.0-dev,True,hash,hash.sha1,keyword,extended,,SHA1 hash.
+1.2.0-dev,True,hash,hash.sha256,keyword,extended,,SHA256 hash.
+1.2.0-dev,True,hash,hash.sha512,keyword,extended,,SHA512 hash.
+1.2.0-dev,True,host,host.architecture,keyword,core,x86_64,Operating system architecture.
+1.2.0-dev,True,host,host.domain,keyword,extended,CONTOSO,Name of the directory the group is a member of.
+1.2.0-dev,True,host,host.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,host,host.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,host,host.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,host,host.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,host,host.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,host,host.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,host,host.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,host,host.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,host,host.hostname,keyword,core,,Hostname of the host.
+1.2.0-dev,True,host,host.id,keyword,core,,Unique host id.
+1.2.0-dev,True,host,host.ip,ip,core,,Host ip address.
+1.2.0-dev,True,host,host.mac,keyword,core,,Host mac address.
+1.2.0-dev,True,host,host.name,keyword,core,,Name of the host.
+1.2.0-dev,True,host,host.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.2.0-dev,True,host,host.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
+1.2.0-dev,True,host,host.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.2.0-dev,True,host,host.os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
+1.2.0-dev,True,host,host.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.2.0-dev,True,host,host.os.version,keyword,extended,10.14.1,Operating system version as a raw string.
+1.2.0-dev,True,host,host.type,keyword,core,,Type of host.
+1.2.0-dev,True,host,host.uptime,long,extended,1325,Seconds the host has been up.
+1.2.0-dev,True,host,host.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,host,host.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,host,host.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,host,host.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,host,host.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,host,host.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,host,host.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,host,host.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,host,host.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,http,http.request.body.bytes,long,extended,887,Size in bytes of the request body.
+1.2.0-dev,True,http,http.request.body.content,keyword,extended,Hello world,The full HTTP request body.
+1.2.0-dev,True,http,http.request.bytes,long,extended,1437,Total size in bytes of the request (body and headers).
+1.2.0-dev,True,http,http.request.method,keyword,extended,"get, post, put",HTTP request method.
+1.2.0-dev,True,http,http.request.referrer,keyword,extended,https://blog.example.com/,Referrer for this HTTP request.
+1.2.0-dev,True,http,http.response.body.bytes,long,extended,887,Size in bytes of the response body.
+1.2.0-dev,True,http,http.response.body.content,keyword,extended,Hello world,The full HTTP response body.
+1.2.0-dev,True,http,http.response.bytes,long,extended,1437,Total size in bytes of the response (body and headers).
+1.2.0-dev,True,http,http.response.status_code,long,extended,404,HTTP response status code.
+1.2.0-dev,True,http,http.version,keyword,extended,1.1,HTTP version.
+1.2.0-dev,True,log,log.level,keyword,core,error,Log level of the log event.
+1.2.0-dev,True,log,log.logger,keyword,core,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+1.2.0-dev,True,log,log.origin.file.line,integer,extended,42,The line number of the file which originated the log event.
+1.2.0-dev,True,log,log.origin.file.name,keyword,extended,Bootstrap.java,The file which originated the log event.
+1.2.0-dev,True,log,log.origin.function,keyword,extended,init,The function which originated the log event.
+1.2.0-dev,False,log,log.original,keyword,core,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)."
+1.2.0-dev,True,log,log.syslog,object,extended,,Syslog metadata
+1.2.0-dev,True,log,log.syslog.facility.code,long,extended,23,Syslog numeric facility of the event.
+1.2.0-dev,True,log,log.syslog.facility.name,keyword,extended,local7,Syslog text-based facility of the event.
+1.2.0-dev,True,log,log.syslog.priority,long,extended,135,Syslog priority of the event.
+1.2.0-dev,True,log,log.syslog.severity.code,long,extended,3,Syslog numeric severity of the event.
+1.2.0-dev,True,log,log.syslog.severity.name,keyword,extended,Error,Syslog text-based severity of the event.
+1.2.0-dev,True,network,network.application,keyword,extended,aim,Application level protocol name.
+1.2.0-dev,True,network,network.bytes,long,core,368,Total bytes transferred in both directions.
+1.2.0-dev,True,network,network.community_id,keyword,extended,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+1.2.0-dev,True,network,network.direction,keyword,core,inbound,Direction of the network traffic.
+1.2.0-dev,True,network,network.forwarded_ip,ip,core,192.1.1.2,Host IP address when the source IP address is the proxy.
+1.2.0-dev,True,network,network.iana_number,keyword,extended,6,IANA Protocol Number.
+1.2.0-dev,True,network,network.name,keyword,extended,Guest Wifi,Name given by operators to sections of their network.
+1.2.0-dev,True,network,network.packets,long,core,24,Total packets transferred in both directions.
+1.2.0-dev,True,network,network.protocol,keyword,core,http,L7 Network protocol name.
+1.2.0-dev,True,network,network.transport,keyword,core,tcp,Protocol Name corresponding to the field `iana_number`.
+1.2.0-dev,True,network,network.type,keyword,core,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+1.2.0-dev,True,observer,observer.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,observer,observer.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,observer,observer.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,observer,observer.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,observer,observer.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,observer,observer.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,observer,observer.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,observer,observer.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,observer,observer.hostname,keyword,core,,Hostname of the observer.
+1.2.0-dev,True,observer,observer.ip,ip,core,,IP address of the observer.
+1.2.0-dev,True,observer,observer.mac,keyword,core,,MAC address of the observer
+1.2.0-dev,True,observer,observer.name,keyword,extended,1_proxySG,Custom name of the observer.
+1.2.0-dev,True,observer,observer.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.2.0-dev,True,observer,observer.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
+1.2.0-dev,True,observer,observer.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.2.0-dev,True,observer,observer.os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
+1.2.0-dev,True,observer,observer.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.2.0-dev,True,observer,observer.os.version,keyword,extended,10.14.1,Operating system version as a raw string.
+1.2.0-dev,True,observer,observer.product,keyword,extended,s200,The product name of the observer.
+1.2.0-dev,True,observer,observer.serial_number,keyword,extended,,Observer serial number.
+1.2.0-dev,True,observer,observer.type,keyword,core,firewall,The type of the observer the data is coming from.
+1.2.0-dev,True,observer,observer.vendor,keyword,core,Symantec,Vendor name of the observer.
+1.2.0-dev,True,observer,observer.version,keyword,core,,Observer version.
+1.2.0-dev,True,organization,organization.id,keyword,extended,,Unique identifier for the organization.
+1.2.0-dev,True,organization,organization.name,keyword,extended,,Organization name.
+1.2.0-dev,True,os,os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.2.0-dev,True,os,os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
+1.2.0-dev,True,os,os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.2.0-dev,True,os,os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
+1.2.0-dev,True,os,os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.2.0-dev,True,os,os.version,keyword,extended,10.14.1,Operating system version as a raw string.
+1.2.0-dev,True,package,package.architecture,keyword,extended,x86_64,Package architecture.
+1.2.0-dev,True,package,package.build_version,keyword,extended,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+1.2.0-dev,True,package,package.checksum,keyword,extended,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+1.2.0-dev,True,package,package.description,keyword,extended,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+1.2.0-dev,True,package,package.install_scope,keyword,extended,global,"Indicating how the package was installed, e.g. user-local, global."
+1.2.0-dev,True,package,package.installed,date,extended,,Time when package was installed.
+1.2.0-dev,True,package,package.license,keyword,extended,Apache License 2.0,Package license
+1.2.0-dev,True,package,package.name,keyword,extended,go,Package name
+1.2.0-dev,True,package,package.path,keyword,extended,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+1.2.0-dev,True,package,package.reference,keyword,extended,https://golang.org,Package reference URL
+1.2.0-dev,True,package,package.size,long,extended,62231,Package size in bytes.
+1.2.0-dev,True,package,package.type,keyword,extended,rpm,Package type
+1.2.0-dev,True,package,package.version,keyword,extended,1.12.9,Package version
+1.2.0-dev,True,process,process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
+1.2.0-dev,True,process,process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.2.0-dev,True,process,process.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable.
+1.2.0-dev,True,process,process.exit_code,long,extended,137,The exit code of the process.
+1.2.0-dev,True,process,process.hash.md5,keyword,extended,,MD5 hash.
+1.2.0-dev,True,process,process.hash.sha1,keyword,extended,,SHA1 hash.
+1.2.0-dev,True,process,process.hash.sha256,keyword,extended,,SHA256 hash.
+1.2.0-dev,True,process,process.hash.sha512,keyword,extended,,SHA512 hash.
+1.2.0-dev,True,process,process.name,keyword,extended,ssh,Process name.
+1.2.0-dev,True,process,process.parent.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
+1.2.0-dev,True,process,process.parent.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+1.2.0-dev,True,process,process.parent.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable.
+1.2.0-dev,True,process,process.parent.exit_code,long,extended,137,The exit code of the process.
+1.2.0-dev,True,process,process.parent.name,keyword,extended,ssh,Process name.
+1.2.0-dev,True,process,process.parent.pgid,long,extended,,Identifier of the group of processes the process belongs to.
+1.2.0-dev,True,process,process.parent.pid,long,core,4242,Process id.
+1.2.0-dev,True,process,process.parent.ppid,long,extended,4241,Parent process' pid.
+1.2.0-dev,True,process,process.parent.start,date,extended,2016-05-23T08:05:34.853Z,The time the process started.
+1.2.0-dev,True,process,process.parent.thread.id,long,extended,4242,Thread ID.
+1.2.0-dev,True,process,process.parent.thread.name,keyword,extended,thread-0,Thread name.
+1.2.0-dev,True,process,process.parent.title,keyword,extended,,Process title.
+1.2.0-dev,True,process,process.parent.uptime,long,extended,1325,Seconds the process has been up.
+1.2.0-dev,True,process,process.parent.working_directory,keyword,extended,/home/alice,The working directory of the process.
+1.2.0-dev,True,process,process.pgid,long,extended,,Identifier of the group of processes the process belongs to.
+1.2.0-dev,True,process,process.pid,long,core,4242,Process id.
+1.2.0-dev,True,process,process.ppid,long,extended,4241,Parent process' pid.
+1.2.0-dev,True,process,process.start,date,extended,2016-05-23T08:05:34.853Z,The time the process started.
+1.2.0-dev,True,process,process.thread.id,long,extended,4242,Thread ID.
+1.2.0-dev,True,process,process.thread.name,keyword,extended,thread-0,Thread name.
+1.2.0-dev,True,process,process.title,keyword,extended,,Process title.
+1.2.0-dev,True,process,process.uptime,long,extended,1325,Seconds the process has been up.
+1.2.0-dev,True,process,process.working_directory,keyword,extended,/home/alice,The working directory of the process.
+1.2.0-dev,True,related,related.ip,ip,extended,,All of the IPs seen on your event.
+1.2.0-dev,True,server,server.address,keyword,extended,,Server network address.
+1.2.0-dev,True,server,server.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,server,server.as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,server,server.bytes,long,core,184,Bytes sent from the server to the client.
+1.2.0-dev,True,server,server.domain,keyword,core,,Server domain.
+1.2.0-dev,True,server,server.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,server,server.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,server,server.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,server,server.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,server,server.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,server,server.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,server,server.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,server,server.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,server,server.ip,ip,core,,IP address of the server.
+1.2.0-dev,True,server,server.mac,keyword,core,,MAC address of the server.
+1.2.0-dev,True,server,server.nat.ip,ip,extended,,Server NAT ip
+1.2.0-dev,True,server,server.nat.port,long,extended,,Server NAT port
+1.2.0-dev,True,server,server.packets,long,core,12,Packets sent from the server to the client.
+1.2.0-dev,True,server,server.port,long,core,,Port of the server.
+1.2.0-dev,True,server,server.registered_domain,keyword,extended,google.com,"The highest registered server domain, stripped of the subdomain."
+1.2.0-dev,True,server,server.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,server,server.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,server,server.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,server,server.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,server,server.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,server,server.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,server,server.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,server,server.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,server,server.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,server,server.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,service,service.ephemeral_id,keyword,extended,8a4f500f,Ephemeral identifier of this service.
+1.2.0-dev,True,service,service.id,keyword,core,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+1.2.0-dev,True,service,service.name,keyword,core,elasticsearch-metrics,Name of the service.
+1.2.0-dev,True,service,service.node.name,keyword,extended,instance-0000000016,Name of the service node.
+1.2.0-dev,True,service,service.state,keyword,core,,Current state of the service.
+1.2.0-dev,True,service,service.type,keyword,core,elasticsearch,The type of the service.
+1.2.0-dev,True,service,service.version,keyword,core,3.2.4,Version of the service.
+1.2.0-dev,True,source,source.address,keyword,extended,,Source network address.
+1.2.0-dev,True,source,source.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+1.2.0-dev,True,source,source.as.organization.name,keyword,extended,Google LLC,Organization name.
+1.2.0-dev,True,source,source.bytes,long,core,184,Bytes sent from the source to the destination.
+1.2.0-dev,True,source,source.domain,keyword,core,,Source domain.
+1.2.0-dev,True,source,source.geo.city_name,keyword,core,Montreal,City name.
+1.2.0-dev,True,source,source.geo.continent_name,keyword,core,North America,Name of the continent.
+1.2.0-dev,True,source,source.geo.country_iso_code,keyword,core,CA,Country ISO code.
+1.2.0-dev,True,source,source.geo.country_name,keyword,core,Canada,Country name.
+1.2.0-dev,True,source,source.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+1.2.0-dev,True,source,source.geo.name,keyword,extended,boston-dc,User-defined description of a location.
+1.2.0-dev,True,source,source.geo.region_iso_code,keyword,core,CA-QC,Region ISO code.
+1.2.0-dev,True,source,source.geo.region_name,keyword,core,Quebec,Region name.
+1.2.0-dev,True,source,source.ip,ip,core,,IP address of the source.
+1.2.0-dev,True,source,source.mac,keyword,core,,MAC address of the source.
+1.2.0-dev,True,source,source.nat.ip,ip,extended,,Source NAT ip
+1.2.0-dev,True,source,source.nat.port,long,extended,,Source NAT port
+1.2.0-dev,True,source,source.packets,long,core,12,Packets sent from the source to the destination.
+1.2.0-dev,True,source,source.port,long,core,,Port of the source.
+1.2.0-dev,True,source,source.registered_domain,keyword,extended,google.com,"The highest registered source domain, stripped of the subdomain."
+1.2.0-dev,True,source,source.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,source,source.user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,source,source.user.email,keyword,extended,,User email address.
+1.2.0-dev,True,source,source.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,source,source.user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,source,source.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,source,source.user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,source,source.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,source,source.user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,source,source.user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,threat,threat.framework,keyword,extended,MITRE ATT&CK,Threat classification framework.
+1.2.0-dev,True,threat,threat.tactic.id,keyword,extended,TA0040,Threat tactic id.
+1.2.0-dev,True,threat,threat.tactic.name,keyword,extended,impact,Threat tactic.
+1.2.0-dev,True,threat,threat.tactic.reference,keyword,extended,https://attack.mitre.org/tactics/TA0040/,Threat tactic url reference.
+1.2.0-dev,True,threat,threat.technique.id,keyword,extended,T1499,Threat technique id.
+1.2.0-dev,True,threat,threat.technique.name,keyword,extended,endpoint denial of service,Threat technique name.
+1.2.0-dev,True,threat,threat.technique.reference,keyword,extended,https://attack.mitre.org/techniques/T1499/,Threat technique reference.
+1.2.0-dev,True,tls,tls.cipher,keyword,extended,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+1.2.0-dev,True,tls,tls.client.certificate,keyword,extended,MII...,PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
+1.2.0-dev,True,tls,tls.client.certificate_chain,keyword,extended,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
+1.2.0-dev,True,tls,tls.client.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls,tls.client.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls,tls.client.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls,tls.client.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+1.2.0-dev,True,tls,tls.client.ja3,keyword,extended,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+1.2.0-dev,True,tls,tls.client.not_after,date,extended,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+1.2.0-dev,True,tls,tls.client.not_before,date,extended,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+1.2.0-dev,True,tls,tls.client.server_name,keyword,extended,www.elastic.co,"Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`."
+1.2.0-dev,True,tls,tls.client.subject,keyword,extended,"CN=myclient, OU=Documentation Team, DC=mydomain, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+1.2.0-dev,True,tls,tls.client.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello.
+1.2.0-dev,True,tls,tls.curve,keyword,extended,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+1.2.0-dev,True,tls,tls.established,boolean,extended,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+1.2.0-dev,True,tls,tls.next_protocol,keyword,extended,http/1.1,"String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case."
+1.2.0-dev,True,tls,tls.resumed,boolean,extended,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+1.2.0-dev,True,tls,tls.server.certificate,keyword,extended,MII...,PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
+1.2.0-dev,True,tls,tls.server.certificate_chain,keyword,extended,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
+1.2.0-dev,True,tls,tls.server.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls,tls.server.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls,tls.server.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash."
+1.2.0-dev,True,tls,tls.server.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+1.2.0-dev,True,tls,tls.server.ja3s,keyword,extended,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+1.2.0-dev,True,tls,tls.server.not_after,date,extended,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+1.2.0-dev,True,tls,tls.server.not_before,date,extended,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+1.2.0-dev,True,tls,tls.server.subject,keyword,extended,"CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the x.509 certificate presented by the server.
+1.2.0-dev,True,tls,tls.server.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the server during the server hello.
+1.2.0-dev,True,tls,tls.version,keyword,extended,1.2,Numeric part of the version parsed from the original string.
+1.2.0-dev,True,tls,tls.version_protocol,keyword,extended,tls,Normalized lowercase protocol name parsed from original string.
+1.2.0-dev,True,trace,trace.id,keyword,extended,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+1.2.0-dev,True,transaction,transaction.id,keyword,extended,00f067aa0ba902b7,Unique identifier of the transaction.
+1.2.0-dev,True,url,url.domain,keyword,extended,www.elastic.co,Domain of the url.
+1.2.0-dev,True,url,url.extension,keyword,extended,png,File extension from the original request url.
+1.2.0-dev,True,url,url.fragment,keyword,extended,,Portion of the url after the `#`.
+1.2.0-dev,True,url,url.full,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+1.2.0-dev,True,url,url.original,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+1.2.0-dev,True,url,url.password,keyword,extended,,Password of the request.
+1.2.0-dev,True,url,url.path,keyword,extended,,"Path of the request, such as ""/search""."
+1.2.0-dev,True,url,url.port,long,extended,443,"Port of the request, such as 443."
+1.2.0-dev,True,url,url.query,keyword,extended,,Query string of the request.
+1.2.0-dev,True,url,url.registered_domain,keyword,extended,google.com,"The highest registered url domain, stripped of the subdomain."
+1.2.0-dev,True,url,url.scheme,keyword,extended,https,Scheme of the url.
+1.2.0-dev,True,url,url.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)."
+1.2.0-dev,True,url,url.username,keyword,extended,,Username of the request.
+1.2.0-dev,True,user,user.domain,keyword,extended,,Name of the directory the user is a member of.
+1.2.0-dev,True,user,user.email,keyword,extended,,User email address.
+1.2.0-dev,True,user,user.full_name,keyword,extended,Albert Einstein,"User's full name, if available."
+1.2.0-dev,True,user,user.group.domain,keyword,extended,,Name of the directory the group is a member of.
+1.2.0-dev,True,user,user.group.id,keyword,extended,,Unique identifier for the group on the system/platform.
+1.2.0-dev,True,user,user.group.name,keyword,extended,,Name of the group.
+1.2.0-dev,True,user,user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form.
+1.2.0-dev,True,user,user.id,keyword,core,,One or multiple unique identifiers of the user.
+1.2.0-dev,True,user,user.name,keyword,core,albert,Short name or login of the user.
+1.2.0-dev,True,user_agent,user_agent.device.name,keyword,extended,iPhone,Name of the device.
+1.2.0-dev,True,user_agent,user_agent.name,keyword,extended,Safari,Name of the user agent.
+1.2.0-dev,True,user_agent,user_agent.original,keyword,extended,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed version of the user_agent.
+1.2.0-dev,True,user_agent,user_agent.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)."
+1.2.0-dev,True,user_agent,user_agent.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name."
+1.2.0-dev,True,user_agent,user_agent.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string.
+1.2.0-dev,True,user_agent,user_agent.os.name,keyword,extended,Mac OS X,"Operating system name, without the version."
+1.2.0-dev,True,user_agent,user_agent.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)."
+1.2.0-dev,True,user_agent,user_agent.os.version,keyword,extended,10.14.1,Operating system version as a raw string.
+1.2.0-dev,True,user_agent,user_agent.version,keyword,extended,12.0,Version of the user agent.
+1.2.0-dev,True,vulnerability,vulnerability.category,keyword,extended,"[""Firewall""]",Category of a vulnerability.
+1.2.0-dev,True,vulnerability,vulnerability.classification,keyword,extended,CVSS,Classification of the vulnerability.
+1.2.0-dev,True,vulnerability,vulnerability.description,keyword,extended,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+1.2.0-dev,True,vulnerability,vulnerability.enumeration,keyword,extended,CVE,Identifier of the vulnerability.
+1.2.0-dev,True,vulnerability,vulnerability.id,keyword,extended,CVE-2019-00001,ID of the vulnerability.
+1.2.0-dev,True,vulnerability,vulnerability.reference,keyword,extended,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+1.2.0-dev,True,vulnerability,vulnerability.report_id,keyword,extended,20191018.0001,Scan identification number.
+1.2.0-dev,True,vulnerability,vulnerability.scanner.vendor,keyword,extended,Tenable,Name of the scanner vendor.
+1.2.0-dev,True,vulnerability,vulnerability.score.base,float,extended,5.5,Vulnerability Base score.
+1.2.0-dev,True,vulnerability,vulnerability.score.environmental,float,extended,5.5,Vulnerability Environmental score.
+1.2.0-dev,True,vulnerability,vulnerability.score.temporal,float,extended,,Vulnerability Temporal score.
+1.2.0-dev,True,vulnerability,vulnerability.score.version,keyword,extended,2.0,CVSS version.
+1.2.0-dev,True,vulnerability,vulnerability.severity,keyword,extended,Critical,Severity of the vulnerability.
diff --git a/scripts/generators/csv_generator.py b/scripts/generators/csv_generator.py
index 4b900065b9..2a652f4217 100644
--- a/scripts/generators/csv_generator.py
+++ b/scripts/generators/csv_generator.py
@@ -29,11 +29,12 @@ def save_csv(file, sorted_fields, version):
                                    quoting=csv.QUOTE_MINIMAL,
                                    lineterminator='\n')
 
-        schema_writer.writerow(["ECS version", "Indexed", "Field", "Type", "Level", "Example", "Description"])
+        schema_writer.writerow(["ECS version", "Indexed", "Field Set", "Field", "Type", "Level", "Example", "Description"])
         for field in sorted_fields:
             schema_writer.writerow([
                 version,
                 field.get('index', True),
+                field['flat_name'].split('.')[0],
                 field['flat_name'],
                 field['type'],
                 field['level'],

From be6d43cebdbd00880e856ecb59359a622e80f4b2 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 21 Nov 2019 00:17:37 -0500
Subject: [PATCH 3/7] Add support for 'base' field set in the fs column

---
 generated/csv/fields.csv            | 8 ++++----
 scripts/generators/csv_generator.py | 8 +++++++-
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 0a557711ca..c5e875d833 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,8 +1,8 @@
 ECS version,Indexed,Field Set,Field,Type,Level,Example,Description
-1.2.0-dev,True,@timestamp,@timestamp,date,core,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-1.2.0-dev,True,labels,labels,object,core,"{'application': 'foo-bar', 'env': 'production'}",Custom key/value pairs.
-1.2.0-dev,True,message,message,text,core,Hello World,Log message optimized for viewing in a log viewer.
-1.2.0-dev,True,tags,tags,keyword,core,"[""production"", ""env2""]",List of keywords used to tag each event.
+1.2.0-dev,True,base,@timestamp,date,core,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+1.2.0-dev,True,base,labels,object,core,"{'application': 'foo-bar', 'env': 'production'}",Custom key/value pairs.
+1.2.0-dev,True,base,message,text,core,Hello World,Log message optimized for viewing in a log viewer.
+1.2.0-dev,True,base,tags,keyword,core,"[""production"", ""env2""]",List of keywords used to tag each event.
 1.2.0-dev,True,agent,agent.ephemeral_id,keyword,extended,8a4f500f,Ephemeral identifier of this agent.
 1.2.0-dev,True,agent,agent.id,keyword,core,8a4f500d,Unique identifier of this agent.
 1.2.0-dev,True,agent,agent.name,keyword,core,foo,Custom name of the agent.
diff --git a/scripts/generators/csv_generator.py b/scripts/generators/csv_generator.py
index 2a652f4217..ba378e7109 100644
--- a/scripts/generators/csv_generator.py
+++ b/scripts/generators/csv_generator.py
@@ -31,10 +31,16 @@ def save_csv(file, sorted_fields, version):
 
         schema_writer.writerow(["ECS version", "Indexed", "Field Set", "Field", "Type", "Level", "Example", "Description"])
         for field in sorted_fields:
+            key_parts = field['flat_name'].split('.')
+            if len(key_parts) == 1:
+                field_set = 'base'
+            else:
+                field_set = key_parts[0]
+
             schema_writer.writerow([
                 version,
                 field.get('index', True),
-                field['flat_name'].split('.')[0],
+                field_set,
                 field['flat_name'],
                 field['type'],
                 field['level'],

From f1417a9af9e705083d8a6b009716359aa98542a8 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 21 Nov 2019 09:16:11 -0500
Subject: [PATCH 4/7] Python formatting

---
 scripts/generators/csv_generator.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/generators/csv_generator.py b/scripts/generators/csv_generator.py
index ba378e7109..4d56d60d3d 100644
--- a/scripts/generators/csv_generator.py
+++ b/scripts/generators/csv_generator.py
@@ -29,7 +29,8 @@ def save_csv(file, sorted_fields, version):
                                    quoting=csv.QUOTE_MINIMAL,
                                    lineterminator='\n')
 
-        schema_writer.writerow(["ECS version", "Indexed", "Field Set", "Field", "Type", "Level", "Example", "Description"])
+        schema_writer.writerow(["ECS version", "Indexed", "Field Set", "Field",
+                                "Type", "Level", "Example", "Description"])
         for field in sorted_fields:
             key_parts = field['flat_name'].split('.')
             if len(key_parts) == 1:

From 25cff0fed49d1d284c7f6e31b5ce9ffee1acdfc1 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Mon, 25 Nov 2019 10:20:48 -0500
Subject: [PATCH 5/7] No space in column names

---
 generated/csv/fields.csv            | 2 +-
 scripts/generators/csv_generator.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index c5e875d833..ea6375feff 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,4 +1,4 @@
-ECS version,Indexed,Field Set,Field,Type,Level,Example,Description
+ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description
 1.2.0-dev,True,base,@timestamp,date,core,2016-05-23T08:05:34.853Z,Date/time when the event originated.
 1.2.0-dev,True,base,labels,object,core,"{'application': 'foo-bar', 'env': 'production'}",Custom key/value pairs.
 1.2.0-dev,True,base,message,text,core,Hello World,Log message optimized for viewing in a log viewer.
diff --git a/scripts/generators/csv_generator.py b/scripts/generators/csv_generator.py
index 4d56d60d3d..47be62f672 100644
--- a/scripts/generators/csv_generator.py
+++ b/scripts/generators/csv_generator.py
@@ -29,7 +29,7 @@ def save_csv(file, sorted_fields, version):
                                    quoting=csv.QUOTE_MINIMAL,
                                    lineterminator='\n')
 
-        schema_writer.writerow(["ECS version", "Indexed", "Field Set", "Field",
+        schema_writer.writerow(["ECS_Version", "Indexed", "Field_Set", "Field",
                                 "Type", "Level", "Example", "Description"])
         for field in sorted_fields:
             key_parts = field['flat_name'].split('.')

From e16e86e90ab4e84965054fb48a294851cf0a2eda Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Mon, 25 Nov 2019 10:52:46 -0500
Subject: [PATCH 6/7] Changelog

---
 CHANGELOG.next.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 7f249b49cc..2dc9e9b30c 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -37,10 +37,14 @@ Thanks, you're awesome :-) -->
 
 #### Breaking changes
 
+* Changed the order and column names in the csv. #621
+
 #### Bugfixes
 
 #### Added
 
+* Added the "Indexed" and "Description" columns to the csv. #621
+
 #### Improvements
 
 #### Deprecated

From d8923d74437b857d06413de1d8ee73d88f2281d3 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Mon, 25 Nov 2019 11:54:03 -0500
Subject: [PATCH 7/7] Changelog

---
 CHANGELOG.next.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 2dc9e9b30c..d61f39e197 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -43,7 +43,7 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
-* Added the "Indexed" and "Description" columns to the csv. #621
+* Added the "Indexed", "Field\_Set" and "Description" columns to the csv. #621
 
 #### Improvements