Skip to content

update the custom documentation README #663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

update the custom documentation README #663

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c79d618
update the custom documentation README
ferullo Sep 2, 2025
cfcdd0b
add backticks
ferullo Sep 3, 2025
078b5f0
Merge branch 'main' of github.com:elastic/endpoint-package into updat…
ferullo Sep 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion doc_templates/endpoint/docs/CustomDocumentationREADME.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,27 @@

**This documentation is still beta**

The subdirectories document all ECS fields that may exist in documents generated by Endpoint into
These subdirectories document all ECS fields that may exist in documents generated by Elastic Defend (aka Endpoint) into
logs and metrics datastreams. Only fields included by Endpoint are documented, those added during
integration pipeline enrichment in Elasticsearch are not within the scope of this documentation.

Endpoint state management documents are described in a cross-platform way because they are largely
identical on each OS. Events are documented per-OS. Documentation for each state management or event
document includes the relevant OS(es), the data stream the document is found in, a KQL filter to
match on the document, and all the fields associated with the document.

The mapping between each directory/data stream and the Kibana feature name are:

| Directory | Data Stream | Kibana feature | Note |
| --------- | ----------- | -------------- | ---- |
| alerts | `logs-endpoint.alerts-*` | Malware / Ransomware / Memory Threat / Malicious Behavior | |
| api | `logs-endpoint.events.api-*` | API events | |
| file | `logs-endpoint.events.file-*` | File Events | |
| library | `logs-endpoint.events.library-*` | DLL and Driver Load events | |
| metadata | `metrics-endpoint.metadata-*` | | This is for internal state management documents |
| metrics | `metrics-endpoint.metrics-*` | | This is for internal state management documents |
| network | `logs-endpoint.events.network-*` | DNS and Network events | Both DNS and Network events share a single datastream |
| policy | `metrics-endpoint.policy-*` | | This is for internal state management documents |
| process | `logs-endpoint.events.process-*` | Process events | Session and Terminal Output data on Linux is included in this datastream |
| registry | `logs-endpoint.events.registry-*` | Registry events | |
| security | `logs-endpoint.events.security-*` | Security events | |