You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: packages/wiz/docs/README.md
+45-1Lines changed: 45 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -445,7 +445,51 @@ An example event for `cloud_configuration_finding_full_posture` looks as followi
445
445
446
446
**Exported fields**
447
447
448
-
(no fields available)
448
+
| Field | Description | Type |
449
+
|---|---|---|
450
+
|@timestamp| Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
451
+
| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-`\* No longer than 100 characters | constant_keyword |
452
+
| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-`\* No longer than 100 characters | constant_keyword |
453
+
| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
454
+
| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
455
+
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
456
+
| input.type | Type of filebeat input. | keyword |
457
+
| log.offset | Log offset. | long |
458
+
| resource.id || keyword |
459
+
| resource.name || keyword |
460
+
| resource.sub_type || keyword |
461
+
| resource.type || keyword |
462
+
| result.evaluation || keyword |
463
+
| result.evidence.cloud_configuration_link || text |
464
+
| result.evidence.configuration_path || text |
465
+
| result.evidence.current_value || text |
466
+
| result.evidence.expected_value || text |
467
+
| rule.remediation || keyword |
468
+
| tags | List of keywords used to tag each event. | keyword |
469
+
| wiz.cloud_configuration_finding_full_posture.analyzed_at || date |
470
+
| wiz.cloud_configuration_finding_full_posture.evidence.cloud_configuration_link || text |
471
+
| wiz.cloud_configuration_finding_full_posture.evidence.configuration_path || text |
472
+
| wiz.cloud_configuration_finding_full_posture.evidence.current_value || text |
473
+
| wiz.cloud_configuration_finding_full_posture.evidence.expected_value || text |
0 commit comments